The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D. C. 20551 DIVISION OF BANKING SUPERVISION AND REGULATION SR 01-15 (SUP) May 31, 2001 TO THE OFFICER IN CHARGE OF SUPERVISION AND APPROPRIATE SUPERVISORY AND EXAMINATIONS STAFF AT EACH FEDERAL RESERVE BANK AND TO EACH DOMESTIC BANKING ORGANIZATION SUPERVISED BY THE FEDERAL RESERVE SUBJECT: Standards for Safeguarding Customer Information The federal banking agencies jointly issued guidelines establishing standards for safeguarding customer information (Guidelines), which will become effective July 1, 2001.1 A copy of the Federal Register notice is attached. The Guidelines implement section 501 of the Gramm-Leach-Bliley Act, which requires the agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for customer records and information. The Guidelines were issued by the Federal Reserve as appendices to Regulations H and Y, and apply to customer information maintained by state member banks, bank holding companies, Edge and agreement corporations, and uninsured state-licensed branches and agencies of foreign banks. The Guidelines require institutions to establish an information security program to assess and control risks to customer information. Under the Guidelines, each institution may implement an information security program appropriate to its size and complexity and the nature and scope of its operations. The board of directors should oversee an institution's efforts to develop, implement, and maintain an effective information security program and approve written information security policies and programs. The Guidelines outline specific security measures that banking organizations should consider in implementing a security program based on the size and complexity of their operations. Training and testing are also critical components of an effective information security program. The Guidelines specifically require financial institutions to oversee their service provider arrangements in order to protect the security of customer information maintained or processed by service providers. The Federal Reserve recognizes that banking organizations are highly sensitive to the importance of safeguarding customer information and the need to maintain effective information security programs. Existing examination procedures and supervisory processes already address information security. As a result, most banking organizations should not need to implement new controls and procedures. Examiners should assess compliance with the Guidelines during each safety and soundness examination or examination cycle (which may include targeted reviews of information technology) subsequent to the July 1, 2001 effective date of the Guidelines and monitor ongoing compliance as needed during the risk-focused examination process. Material instances of non-compliance should be noted in the report of examination. The attached guidance was developed to assist examiners in documenting a financial institution's compliance with the Guidelines. Reserve Banks are asked to distribute this guidance to banking organizations supervised by the Federal Reserve in their districts. If you have any questions regarding this letter, please contact Mike Wallas, Supervisory Financial Analyst, (202) 452-2081 or Heidi Richards, Assistant Director, (202) 452-2598. Richard Spillenkothen Director Attachments Examiner Guidance (208 KB PDF) Revised - 6/7/2001 Federal Register notice (3,588 KB PDF) Notes: 1. See Federal Register, Vol. 66, No. 22, February 1, 2001, pp. 8616-8641. Return to text SR letters | 2001 Home | Banking information and regulation Accessibility | Contact Us Last update: February 21, 2006 Interagency Guidelines Establishing Standards For Safeguarding Customer Information Federal Reserve System Examiner Guidance Background The Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Guidelines) set forth standards pursuant to sections 501 and 505 of the GrammLeach-Bliley Act (15 U.S.C. 6801 and6805).[SeeFootnot1] e The Guidelines apply to customer information maintained by or on behalf of state member banks and bank holding companies and their nonbank subsidiaries, except for brokers, dealers, persons providing insurance, investment companies, and investmentadvisors.[SeeFootnote2]These Guidelines also apply to customer information maintained by or on behalf of Edge corporations, agreement corporations, and uninsured statelicensed branches or agencies of foreign banks. The Guidelines require each institution to implement a written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. The program should be designed to ensure the security and confidentiality of customer information, protect against unanticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. Each institution must assess risks to customer information and implement appropriate policies, procedures, training, and testing to manage and control these risks. Institutions must also report annually to the board of directors or a committee of the board of directors. “Customer information” is defined in the Guidelines as any record, whether in paper, electronic, or other form, containing nonpublic personal information of a customer. A customer is defined in the same manner as in Regulation P--a consumer who has established a continuing relationship with an institution under which the institution provides one or more financial products or services to the consumer to be used primarily for personal, family, or household purposes. Customer does not include a business, nor does it include a consumer who has not established an ongoing relationship with the financial institution. An institution or banking organization is not required to implement a uniform information security program. For example, a bank holding company may include subsidiaries within the scope of its information security program or the subsidiaries may implement separate information Footnote 1 --See Federal Register Vol. 66, No. 22, February 1, 2001, pp. 8616-8641. Also see Regulation H, 12 CFR 208, Appendix D-2; Regulation K, 12 CFR 221.9 and 221.24; and Regulation Y, 12 CFR 225, Appendix F.[EndofFootnote1] --Separate regulations or guidelines issued by the appropriate regulatory agency regarding information security may apply to these subsidiaries.[EndofFootnote2] Footnote 2 1 security programs in accordance with the Guidelines. However, an institution is expected to coordinate all the elements of its information security program. A service provider is a person or entity that maintains, processes, or otherwise is permitted access to customer information through its provisions of services directly to the bank. Institutions must exercise due diligence in selecting service providers, including reviewing the service provider’s information security program or measures used by the service provider to protect the institution’s customer information. In addition, contracts entered into after March 5, 2001 must require that the service provider implement appropriate measures designed to meet the objectives of the Guidelines. By July 1, 2003, all contracts are subject to this requirement. Institutions must also conduct ongoing oversight to confirm that the service provider maintains appropriate security measures. An institution’s methods for overseeing its service provider arrangements may differ depending on the type of services or service provider or the level of risk. For example, if a service provider is subject to regulations or code of conduct that impose a duty to protect customer information consistent with the objectives of the Guidelines, the institution may consider that duty in exercising its due diligence and oversight of the service provider. In situations where a service provider hires a subservicer (or subcontractor), the subservicer would not be considered a “service provider” under the Guidelines. Examination Questionnaire The following questionnaire may be used in assessing an institution’s compliance with the Guidelines. Depending on the nature of the institution’s operations and the extent of prior supervisory review, not all questions may need to be answered fully on each examination. Other examination resources may also be used if a technical evaluation of information security measures isneeded.[SeeFootnote3]Examiners should conduct sufficient review in the following areas to provide a basis for evaluating the overall information security program and compliance with the Guidelines. 1. Does the bank have a written information security program or policy? Has the written information security program been approved by the board of directors or an appropriate committee of the board? 2. Is the written information security program appropriate given the size and complexity of the organization and its operations? Does it contain the objectives of the program, assign responsibility for implementation, and provide methods for compliance and enforcement? 3. Does the bank periodically update its information security program to reflect changes in the bank’s operations and systems, as well as changes in the threats or risks to the bank’s customer information? 4. Review the bank’s process for assessing risk to its customer information. Footnote 3 --See, for example, FFIEC Information Systems Examination Handbook, 1996 Edition.[EndofFootnote3] Federal Reserve System 2 a) Has the bank identified the locations, systems, and methods for storing, processing, transmitting, and disposing of its customer information? b) Has the bank identified reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems and assessed the likelihood and potential damage to the bank and its customers of these threats? 5. Review the bank’s risk management processes for implementing effective measures to protect customer information. Does the bank consider the following areas, and adopt measures the bank concludes are appropriate based on risk? a) Access controls on computer systems containing customer information to prevent access by unauthorized staff or other individuals. b) Controls and procedures to prevent employees from providing customer information to unauthorized individuals, including “pretextcalling.”[SeeFootnote4] c) Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals. d) The encryption of electronic customer information, including while in transit or in storage on networks or systems, in case unauthorized individuals are able to gain access. e) Procedures designed to ensure that modifications to customer information systems are consistent with the bank’s information security program. f) Dual control procedures, segregation of duties, and employee background checks for employees with access to customer information to minimize risk of internal misuse of customer information. g) Monitoring systems and procedures to detect unauthorized access to customer information systems that could compromise the security of customer information. h) Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcementagencies.[SeeFootnote5] i) Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. --See Federal Reserve SR Letter 01-11 “Identity Theft and Pretext Calling,” April 26, 2001, for further information. --See, for example, “Agencies Issues Revised Suspicious Activity Report Form (SAR),” Joint Press Release, June[EndofFootnote4] Footnote 4 Footnote 5 19, 2000, available at http://www.federalreserve.gov/boarddocs/press/general/2000/20000619/default.htm[EndofFootnote5] Federal Reserve System 3 6. Have the bank’s employees been trained to implement the information security program? 7. Does the bank regularly test the effectiveness of key controls, systems, and procedures of its information security program? This may include, for example, tests of operational contingency plans, system security audits or “penetration” tests, and tests of critical internal controls over customer information. Are tests conducted by independent staff or are test results reviewed by independent staff? 8. Does the bank provide customer information to any service providers or do any service providers have access to customer information through service provided directly to the bank? a) If so, has the bank conducted appropriate due diligence in selecting its service providers, taking into consideration information security? b) As of July 1, 2003, does the bank require its service providers by contract to implement appropriate information security programs and measures (or as of July 1, 2001 if contracts were entered into after March 5, 2001)? c) Where appropriate based on risk, does the bank monitor its service providers to confirm that they are maintaining appropriate security measures to safeguard the bank’s customer information? For example, does the bank conduct or review the results of audits, security reviews or tests, or other evaluations? 9. Does the bank report to its board or an appropriate committee of the board at least annually on the overall status of the information security program, including the bank’s compliance with the Guidelines and any other material matters? Federal Reserve System 4 National Archives and Records Administration Logo: Federal Register Thursday, February 1, 2001 Part II Department of the Treasury Office of the Comptroller of the Currency Office of Thrift Supervision Federal Reserve System Federal Deposit Insurance Corporation 12 CFR Part 30, et al. Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness; Final Rule 8616 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations [Docket No. 2000–112] such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer. The Agencies are to implement these standards in the same manner, to the extent practicable, as standards prescribed pursuant to section 39(a) of the Federal Deposit Insurance Act (FDI Act). These final Guidelines implement the requirements described above. The Agencies previously issued guidelines establishing Year 2000 safety and soundness standards for insured depository institutions pursuant to section 39 of the FDI Act. Since the events for which these guidelines were issued have passed, the Agencies have concluded that the guidelines are n o longer necessary and are rescinding these guidelines. EFFECTIVE DATE: The joint final rule is effective July 1, 2001. Applicability date: The Year 2000 Standards for Safety and Soundness are n o longer applicable as of March 5, 2001. RIN 1550–AB36 FOR FURTHER INFORMATION CONTACT: DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 30 [Docket No. 00–35] RIN 1557–AB84 FEDERAL RESERVE SYSTEM 12 CFR Parts 208, 211, 225, and 263 [Docket No. R–1073] FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Parts 308 and 364 RIN 3064–AC39 DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Parts 568 and 570 Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness AGENCIES: The Office of the Comptroller of the Currency (OCC), Treasury; Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision (OTS), Treasury. ACTION: Joint final rule. SUMMARY: The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision (collectively, the Agencies) are publishing final Guidelines establishing standards for safeguarding customer information that implement sections 501 and 505(b) of the Gramm-LeachBliley Act (the G–L–B Act or Act). Section 501 of the G-L-B Act requires the Agencies to establish appropriate standards for the financial institutions subject to their respective jurisdictions relating to administrative, technical, and physical safeguards for customer records and information. As described in the Act, these safeguards are to: insure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of OCC John Carlson, Deputy Director for Bank Technology, (202) 874–5013; or Deborah Katz, Senior Attorney, Legislative and Regulatory Activities Division, (202) 874–5090. Board Heidi Richards, Assistant Director, Division of Banking Supervision and Regulation, (202) 452–2598; Stephanie Martin, Managing Senior Counsel, Legal Division, (202) 452–3198; or Thomas E. Scanlon, Senior Attorney, Legal Division, (202) 452–3594. For the hearing impaired only, contact Janice Simms, Telecommunication Device for the Deaf (TDD) (202) 452–3544, Board of Governors of the Federal Reserve System, 20th and C Streets, NW, Washington, DC 20551. FDIC Thomas J. Tuzinski, Review Examiner, Division of Supervision, (202) 898–6748; Jeffrey M. Kopchik, Senior Policy Analyst, Division of Supervision, (202) 898–3872; or Robert A. Patrick, Counsel, Legal Division, (202) 898–3757. OTS Jennifer Dickerson, Manager, Information Technology, Examination Policy, (202) 906–5631; or Christine Harrington, Counsel, Banking and Finance, Regulations and Legislation Division, (202) 906–7957. SUPPLEMENTARY INFORMATION: T h e contents of this preamble are listed in the following outline: I. Background II. Overview of Comments Received III. Section-by-Section Analysis IV. Regulatory Analysis A. Paperwork Reduction Act B. Regulatory Flexibility Act C. Executive Order 12866 D. Unfunded Mandates Act of 1995 I. Background On November 12, 1999, President Clinton signed the G–L–B Act (Pub. L. 106–102) into law. Section 5 0 1 , titled ‘‘Protection of Nonpublic Personal Information’’, requires the Agencies, the National Credit Union Administration, the Securities and Exchange Commission, and the Federal Trade Commission to establish appropriate standards for the financial institutions subject to their respective jurisdictions relating to the administrative, technical, and physical safeguards for customer records and information. As stated in section 5 0 1 , these safeguards are to: (1) Insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer. Section 505(b) of the G–L–B Act provides that these standards are to be implemented by the Agencies in the same manner, to the extent practicable, as standards prescribed pursuant to section 39(a) of the FDIAct.[SeeFootnot1] e Section 39(a) of the FDI Act authorizes the Agencies to establish operational and managerial standards for insured depository institutions relative to, among other things, internal controls, information systems, and internal audit systems, as well as such other operational and managerial standards as the Agencies determine to be appropriate.[See Footnote 2] Footnote 1 - Section 39 applies only to insure depository institutions, including insured branches of foreign banks. The Guidelines, however, will also apply to certain uninsured institutions, such as bank holding companies, certain nonbank subsidiaries of bank holding companies and insured depository institutions, and uninsured branches and agencies of foreign banks. See sections 501 and 505(b) of the G–L–B Act.[EndofFootnote1] Footnote 2 - OTS has placed its information security guidelines in appendix B to 12 CFR part 570, with the provisions implementing section 39 of the FDI Act. At the same time, OTS has adopted a regulatory requirement that the institutions OTS regulates comply with the proposed Guidelines. Because information security guidelines are similar to physical security procedures, OTS has included a provision in 12 CFR part 568, which covers primarily physical security procedures, requiringcompliancewiththeG part 570. [End of Footnote 2] Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations II. Overview of Comments Received On June 26, 2000, the Agencies published for comment the proposed Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness in the Federal Register (65 FR 39472). The public comment period closed August 25, 2000. The Agencies collectively received a total of 206 comments in response to the proposal, although many commenters sent copies of the same letter to each of the Agencies. Those combined comments included 49 from banks, 7 from savings associations, 60 from financial institution holding companies; 50 from financial institution trade associations; 3 3 from other business entities; and four from state regulators. The Federal Reserve also received comments from three Federal Reserve Banks. The Agencies invited comment on all aspects of the proposed Guidelines, including whether the rules should be issued as guidelines or as regulations. Commenters overwhelmingly supported the adoption of guidelines, with many commenters offering suggestions for ways to improve the proposed Guidelines as discussed below. Many commenters cited the benefits of flexibility and the drawbacks of prescriptive requirements that could become rapidly outdated as a result of changes in technology. The Agencies also requested comments on the impact of the proposal on community banks, recognizing that community banks operate with more limited resources than larger institutions and may present a different risk profile. In general, community banks urged the Agencies to issue guidelines that are not prescriptive, that do not require detailed policies or reporting by banks that share little or n o information outside the bank, and that provide flexibility in the design of an information security program. Some community banks indicated that the Guidelines are unnecessary because they already have information security programs in place. Others requested clarification of the impact of the Guidelines on banks that d o not share any information in the absence of a customer’s consent. In light of the comments received, the Agencies have decided to adopt the Guidelines, with several changes as discussed below to respond to the commenters’ suggestions. The respective texts of the Agencies’ Guidelines are substantively identical. In directing the Agencies to issue standards for the protection of customer records and information, Congress provided that the standards apply to all financial institutions, regardless of the extent to which they may disclose information to affiliated or nonaffiliated third parties, electronically transfer data with customers or third parties, or record data electronically. Because the requirements of the Act apply to a broad range of financial institutions, the Agencies believe that the Guidelines must establish appropriate standards that allow each institution the discretion to design an information security program that suits its particular size and complexity and the nature and scope of its activities. In many instances, financial institutions already will have information security programs that are consistent with these Guidelines, because key components of the Guidelines were derived from security-related supervisory guidance previously issued by the Agencies and the Federal Financial Institutions Examination Council (FFIEC). In such situations, little or n o modification to an institution’s program will be required. Below is a section-by-section analysis of the final Guidelines. III. Section-by-Section Analysis The discussion that follows applies to each Agency’s Guidelines. I. Introduction Paragraph I. of the proposal set forth the general purpose of the Guidelines, which is to provide guidance to each financial institution in establishing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. This paragraph also set forth the statutory authority for the Guidelines, including section 39(a) of the FDI Act (12 U.S.C. 1831p–1) and sections 501 and 505(b) of the G–L–B Act (15 U.S.C. 6801 and 6805(b) ). The Agencies received no comments on this paragraph, and have adopted it as proposed. I.A. Scope Paragraph I.A. of the proposal described the scope of the Guidelines. Each Agency defined specifically those entities within its particular scope of coverage in this paragraph of the Guidelines. The Agencies received n o comments on the issue of which entities are covered by the Guidelines, and have adopted paragraph I.A. as proposed. 8617 I.B. Preservation of Existing Authority Paragraph I.B. of the proposal made clear that in issuing these Guidelines none of the Agencies is, in any way, limiting its authority to address any unsafe or unsound practice, violation of law, unsafe or unsound condition, or other practice, including any condition or practice related to safeguarding customer information. As noted in the preamble to the proposal, any action taken by any Agency under section 39(a) of the FDI Act and these Guidelines may be taken independently of, in conjunction with, or in addition to any other enforcement action available to the Agency. The Agencies received no comments on this paragraph, and have adopted paragraph I.B. as proposed. I.C.1. Definitions Paragraph I.C. set forth the definitions of various terms for purposes of the Guidelines.[SeeFootnote3]It also stated that terms used in the Guidelines have the same meanings as set forth in sections 3 and 39 of the FDI Act (12 U.S.C. 1813 and 1831p–1). The Agencies received several comments on the proposed definitions, and have made certain changes as discussed below. The Agencies also have reordered proposed paragraph I.C. so that the statement concerning the reliance on sections 3 and 39(a) of the FDI Act is now in paragraph I.C.1., with the definitions appearing in paragraphs I.C.2.a.-e. The defined terms have been placed in alphabetical order in the final Guidelines. I.C.2.a. Board of Directors The proposal defined ‘‘board of directors’’ to mean, in the case of a branch or agency of a foreign bank, the managing official in charge of the branch oragency.[SeeFootnote4]The Agencies received no comments on this proposed definition, and have adopted it without change. I.C.2.b. Customer The proposal defined ‘‘customer’’ in the same way as that term is defined in section .3(h) of the Agencies’ rule captioned ‘‘Privacy of Consumer Financial Information’’ (PrivacyRule).[SeeFootnote5] Footnote 3 --In addition to the definitions discussed below, the Board’s Guidelines in 12 CFR parts 208 and 225 contain a definition of ‘‘subsidiary’’, which described the state member bank and bank holding company subsidiaries that are subject to the Guidelines.[EndofFootnote3] Footnote 4 --The OTS version of the Guidelines does not include this definition because OTS does not regulate foreign institutions. Paragraph I of the OTS Guidelines has been renumbered accordingly.[EndofFootnote4] Footnote 6 --See 65 FR 35162 (June 1, 2000). Citations to the interagency Privacy Rule in this preamble are to sections only, leaving blank the citations to the part numbers used by each agency. [End 8618 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations The Agencies proposed to use this definition in the Guidelines because section 501(b) refers to safeguarding the security and confidentiality of ‘‘customer’’ information. Given that Congress used the same term for both the 501(b) standards and for the sections concerning financial privacy, the Agencies have concluded that it is appropriate to use the same definition in the Guidelines that was adopted in the Privacy Rule. Under the Privacy Rule, a customer is a consumer who has established a continuing relationship with an institution under which the institution provides one or more financial products or services to the consumer to be used primarily for personal, family or household purposes. ‘‘Customer’’ does not include a business, nor does it include a consumer who has not established an ongoing relationship with a financial institution (e.g., an individual who merely uses an institution’s ATM or applies for a loan). See sections .3(h) and (i) of the Privacy Rule. The Agencies solicited comment on whether the definition of ‘‘customer’’ should be broadened to provide a common information security program for all types of records under the control of a financial institution. The Agencies received many comments on this definition, almost all of which agreed with the proposed definition. Although a few commenters indicated they would apply the same security program to both business and consumer records, the vast majority of commenters supported the use of the same definition of ‘‘customer’’ in the Guidelines as is used in the Privacy Rule. They observed that the use of the term ‘‘customer’’ in section 501 of the G–L-B Act, when read in the context of the definitions of ‘‘consumer’’ and ‘‘customer relationship’’ in section 509, reflects the Congressional intent to distinguish between certain kinds of consumers for the information security standards and the other privacy provisions established under subtitle A of Title V. The Agencies have concluded that the definition of ‘‘customer’’ used in the Guidelines should be consistent with the definition established in section .3(h) of the Privacy Rule. The Agencies believe, therefore, that the most reasonable interpretation of the applicable provisions of subtitle A of Title V of the Act is that a financial institution is obligated to protect the security and confidentiality of the nonpublic personal information of its consumers with whom it has a customer a definition of ‘‘customer record’’ that is relationship. As a practical manner, a substantively the same as the proposed financial institution may also design or definition. The Agencies have, however, implement its information security deleted the reference to ‘‘data, files, or program in a manner that encompasses other information’’ from the final the records and information of its other Guidelines, since each is included in consumers and its businessclients.[SeeFootnote the6]term ‘‘records’’ and also is covered by the reference to ‘‘paper, electronic, or I.C.2.c. Customer Information other form’’. The proposal defined ‘‘customer I.C.2.d. Customer Information System information’’ as any records containing The proposal defined ‘‘customer nonpublic personal information, as information system’’ to be electronic or defined in section .3(n) of the Privacy physical methods used to access, Rule, about a customer. This included records, data, files, or other information collect, store, use, transmit, or protect customer information. The Agencies in paper, electronic, or other form that received a few comments on this are maintained by any service provider definition, mostly from commenters on behalf of an institution. Although w h o stated that it is too broad. The section 501(b) of the G–L-B Act refers Agencies believe that the definition to the protection of both customer needs to be sufficiently broad to protect ‘‘records’’ and ‘‘information’’, for the all customer information, wherever the sake of simplicity, the proposed information is located within a financial Guidelines used the term ‘‘customer institution and however it is used. information’’ to encompass both Nevertheless, the broad scope of the information and records. definition of ‘‘customer information The Agencies received several system’’ should not result in an u n d u e comments on this definition. The commenters suggested that the proposed burden because, in other important respects, the Guidelines allow a high definition was too broad because it degree of flexibility for each institution included files ‘‘containing’’ nonpublic to design a security program that suits personal information. The Agencies its circumstances. believe, however, that a financial For these reasons, the Agencies have institution’s security program must adopted the definition of ‘‘customer apply to files that contain nonpublic information system’’ largely as personal information in order to proposed. However, the phrase adequately protect the customer’s ‘‘electronic or physical’’ in the proposal information. In deciding what level of has been deleted because each is protection is appropriate, a financial included in the term ‘‘any methods’’. institution may consider the fact that a The Agencies also have added a specific given file contains very little nonpublic reference to records disposal in the personal information, but that fact definition of ‘‘customer information would not render the file entirely system.’’ This is consistent with the beyond the scope of the Guidelines. Accordingly, the Agencies have adopted proposal’s inclusion of access controls in the list of items a financial institution is to consider when establishing Footnote6--The Agencies recognize that ‘‘customer’’ is security policies and procedures (see defined more broadly under Subtitle B of Title V discussion of paragraph III.C.1.a., of the Act, which, in general, makes it unlawful for any person to obtain or attempt to obtain customer below), given that inadequate disposal information of a financial institution by making of records may result in identity theft or false, fictitious, or fraudulent statements. For the other misuse of customer information. purpose of that subtitle, the term ‘‘customer’’ means Under the final Guidelines, a financial ‘‘any person (or authorized representative of a person) to whom the financial institution provides institution’s responsibility to safeguard a product or service, including that of acting as a customer information continues through fiduciary.’’ (See section 527(1) of the Act.) In light the disposal process. of the statutory mandate to ‘‘prescribe such revisions to such regulations and guidelines as may I.C.2.e. Service Provider be necessary to ensure that such financial institutions have policies, procedures, and controls The proposal defined a ‘‘service in place to prevent the unauthorized disclosure of provider’’ as any person or entity that customer financial information’’ (section 525), the maintains or processes customer Agencies considered modifying these Guidelines to cover other customers, namely, business entities information for a financial institution, and individuals who obtain financial products and or is otherwise granted access to services for purposes other than personal, family, or household purposes. The Agencies have concluded, customer information through its provision of services to an institution. however, that defining ‘‘customer’’ to accommodate the range of objectives set forth in Title V of the Act One commenter urged the Agencies to is unnecessary. Instead, the Agencies have included modify this definition so that it would a new paragraph III.C.1.a, described below, and not include a financial institution’s plan to issue guidance and other revisions to the attorneys, accountants, and appraisers. applicable regulations, as may be necessary, to satisfy the requirements of section 525 of the Act.[EndofOthers Footnote6]suggested deleting the phrase ‘‘or Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations is otherwise granted access to customer information through its provision of services to an institution’’. The Agencies believe that the Act requires each financial institution to adopt a comprehensive information security program that is designed to protect against unauthorized access to or use of customers’ nonpublic personal information. Disclosing information to a person or entity that provides services to a financial institution creates additional risks to the security and confidentiality of the information disclosed. In order to protect against these risks, a financial institution must take appropriate steps to protect information that it provides to a service provider, regardless of w h o the service provider is or how the service provider obtains access. The fact that an entity obtains access to customer information through, for instance, providing professional services does not obviate the need for the financial institution to take appropriate steps to protect the information. Accordingly, the Agencies have determined that, in general, the term ‘‘service provider’’ should be broadly defined to encompass a variety of individuals or companies that provide services to the institution. This does not mean, however, that a financial institution’s methods for overseeing its service provider arrangements will be the same for every provider. As explained in the discussion of paragraph III.D., a financial institution’s oversight responsibilities will be shaped by the institution’s analysis of the risks posed by a given service provider. If a service provider is subject to a code of conduct that imposes a duty to protect customer information consistent with the objectives of these Guidelines, a financial institution may take that duty into account when deciding what level of oversight it should provide. Moreover, a financial institution will be responsible under the final Guidelines for overseeing its service provider arrangements only when the service is provided directly to the financial institution. The Agencies clarified this point by amending the definition of ‘‘service provider’’ in the final Guidelines to state that it applies only to a person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the financial institution. Thus, for instance, a payment intermediary involved in the collection of a check but that has n o correspondent relationship with a financial institution would not be considered a service provider of that 8619 of an organization implement a uniform financial institution under this rule. By program. However, the Agencies will contrast, a financial institution’s expect an institution to coordinate all correspondent bank would be the elements of its information security considered its service provider. program. Where the elements of the Nevertheless, the financial institution program are dispersed throughout the may take into account the fact that the institution, management should be correspondent bank is itself a financial aware of these elements and their institution that is subject to security locations. If they are not maintained on standards under section 501(b) when it a consolidated basis, management determines the appropriate level of 7] should have an ability to retrieve the oversight for that serviceprovider.[SeeFootnote In situations where a service provider current documents from those responsible for the overall coordination hires asubservicer,[SeeFootnote8]the subservicer would not be a ‘‘service provider’’ under and ongoing evaluation of the program. the final Guidelines. The Agencies The Board received comment on its recognize that it would be inappropriate proposal to revise the appendix to to impose obligations on a financial Regulation Y regarding the provision institution to select and monitor that would require a bank holding subservicers in situations where the company to ensure that each of its financial institution has no contractual subsidiaries is subject to a relationship with that person or entity. comprehensive information security When conducting due diligence in program.[SeeFootnote9]This comment urged the selecting its service providers (see Board to eliminate that provision and discussion of paragraph III.D., below), argued, in part, that the requirement however, a financial institution must assumes that a bank holding company determine that the service provider has has the power to impose such controls adequate controls to ensure that the upon its subsidiary companies. These subservicer will protect the customer commenters recommended, instead, that information in a way that meets the the standards should be limited to objectives of these Guidelines. customer information in the possession II. Standards for Safeguarding Customer or control of the bank holding company. Under the Bank Holding Company Information Act of 1956 and the Board’s Regulation II.A. Information Security Program Y, a subsidiary is presumed to be The proposed Guidelines described controlled directly or indirectly by the the Agencies’ expectations for the holding company. 12 U.S.C. 1841(d); 12 creation, implementation, and CFR 225.2(o). Moreover, the Board maintenance of a comprehensive believes that a bank holding company is information security program. As noted ultimately responsible for ensuring that in the proposal, this program must its subsidiaries comply with the include administrative, technical, and standards set forth under these physical safeguards appropriate to the Guidelines. The Board recognizes, size and complexity of the institution however, that a bank holding company and the nature and scope of its may satisfy its obligations under section activities. 501 of the GLB Act through a variety of Several commenters representing measures, such as by including a large and complex organizations were subsidiary within the scope of its concerned that the term information security program or by ‘‘comprehensive information security causing the subsidiary to implement a program’’ required a single and uniform separate information security program document that must apply to all in accordance with these Guidelines. component parts of the organization. In II.B. Objectives response, the Agencies note that a program that includes administrative, Paragraph II.B. of the proposed technical, and physical safeguards will, Guidelines described the objectives that in many instances, be composed of more each financial institution’s information than one document. Moreover, use of security program should be designed to this term does not require that all parts achieve. These objectives tracked the objectives as stated in section 501(b)(1)– Footnote7--Similarly, in the case of a service provider (3), that adding only that the security is not subject to these Guidelines but is subject to standards adopted by its primary regulator under section 501(b) of the G–L-B Act, a financial institution may take that fact into consideration when deciding what level of oversight is appropriate for that service provider.[EndofFootnote7] Footnote8--The term ‘‘subservicer’’ means any person has access to an institution’s customer information through its provision of services to the service provider and is not limited to mortgage subservicers.[EndofFootnote8] Footnote9--The appendix provided that the proposed Guidelines would be applicable to customer information maintained by or on behalf of bank holding companies and their nonbank subsidiaries or affiliates (except brokers, dealers, persons who providing insurance, investment companies, and investment advisors) for which the Board has supervisory authority. See 65 FR 39484 (June 26, 2000).[EndofFootnote9] 8620 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations program is to protect against unauthorized access that could risk the safety and soundness of the institution. The Agencies requested comment on whether there are additional or alternative objectives that should be included in the Guidelines. The Agencies received several comments on this proposed paragraph, most of which objected to language that, in the commenters’ view, required compliance with objectives that were impossible to meet. Many commenters stated, for instance, that no information security program can ensure that there will be n o problems with the security or confidentiality of customer information. Others criticized the objective that required protection against any anticipated threat or hazard. A few commenters questioned the objective of protecting against unauthorized access that could result in inconvenience to a customer, while others objected to the addition of the safety and soundness standard noted above. The Agencies d o not believe the statute mandates a standard of absolute liability for a financial institution that experiences a security breach. Thus, the Agencies have clarified these objectives by stating that each security program is to be designed to accomplish the objectives stated. With the one exception discussed below, the Agencies have otherwise left unchanged the statement of the objectives, given that these objectives are identical to those set out in the statute. In response to comments that objected to the addition of the safety and soundness standard, the Agencies have deleted that reference in order to make the statement of objectives identical to the objectives identified in the statute. The Agencies believe that risks to the safety and soundness of a financial institution may be addressed through other supervisory or regulatory means, making it unnecessary to expand the statement of objectives in this rulemaking. Some commenters asked for clarification of a financial institution’s responsibilities when a customer authorizes a third party to access that customer’s information. For purposes of the Guidelines, access to or use of customer information is not ‘‘unauthorized’’ access if it is done with the customer’s consent. When a customer gives consent to a third party to access or use that customer’s information, such as by providing the third party with an account number, PIN, or password, the Guidelines d o not require the financial institution to prevent such access or monitor the use or redisclosure of the customer’s information by the third party. Finally, unauthorized access does not mean disclosure pursuant to one of the exceptions in the Privacy Rule. III. Develop and Implement Security Program Information III.A. Involve the Board of Directors Paragraph III.A. of the proposal described the involvement of the board and management in the development and implementation of an information security program. As explained in the proposal, the board’s responsibilities are to: (1) Approve the institution’s written information security policy and program; and (2) oversee efforts to develop, implement, and maintain an effective information security program, including reviewing reports from management. The proposal also laid out management’s responsibilities for developing, implementing, and maintaining the security program. The Agencies received a number of comments regarding the requirement of board approval of the information security program. Some commenters stated that each financial institution should be allowed to decide for itself whether to obtain board approval of its program. Others suggested that approval by either a board committee or at the holding company level might be appropriate. Still others suggested modifying the Guidelines to require only that the board approve the initial information security program and delegate subsequent review and approval of the program to either a committee or an individual. The Agencies believe that a financial institution’s overall information security program is critical to the safety and soundness of the institution. Therefore, the final Guidelines continue to place responsibility on an institution’s board to approve and exercise general oversight over the program. However, the Guidelines allow the entire board of a financial institution, or an appropriate committee of the board to approve the institution’s written security program. In addition, the Guidelines permit the board to assign specific implementation responsibilities to a committee or an individual. One commenter suggested that the Guidelines be revised to provide that if a holding company develops, approves, and oversees the information security program that applies to its bank and nonbank subsidiaries, there should be n o separate requirement for each subsidiary to d o the same thing, as long as those subsidiaries agree to abide by the holding company’s security program. The Agencies agree that subsidiaries within a holding company can use the security program developed at the holding company level. However, if subsidiary institutions choose to use a security program developed at the holding company level, the board of directors or an appropriate committee at each subsidiary institution must conduct an independent review to ensure that the program is suitable and complies with the requirements prescribed by the subsidiary’s primary regulator. See 12 U.S.C. 505. Once the subsidiary institution’s board, or a committee thereof, has approved the security program, it must oversee the institution’s efforts to implement and maintain an effective program. The Agencies also received comments suggesting that use of the term ‘‘oversee’’ conveyed the notion that a board is expected to be involved in dayto-day monitoring of the development, implementation, and maintenance of an information security program. The Agencies’ use of the term ‘‘oversee’’ is meant to convey a board’s conventional supervisory responsibilities. Day-to-day monitoring of any aspect of an information security program is a management responsibility. The final Guidelines reflect this by providing that the board must oversee the institution’s information security program but may assign specific responsibility for its implementation. The Agencies invited comment on whether the Guidelines should require that the board designate a Corporate Information Security Officer or other responsible individual w h o would have the authority, subject to the board’s approval, to develop and administer the institution’s information security program. The Agencies received a number of comments suggesting that the Agencies should not require the creation of a new position for this purpose. Some financial institutions also stated that hiring one or more additional staff for this purpose would impose a significant burden. The Agencies believe that a financial institution will not need to create a new position with a specific title for this purpose, as long as the institution has adequate staff in light of the risks to its customer information. Regardless of whether new staff are added, the lines of authority and responsibility for development, implementation, and administration of a financial institution’s information security program need to be well defined and clearlyarticulated.[SeeFootnote10] Footnote10--The Agencies note that other regulations already require a financial institution to designate a security officer for different purposes. See 12 CFR 21.2; 12 CFR 208.61(b).[EndofFootnote10] Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations The proposal identified three responsibilities of management in the development of an information security program. They were to: (1) Evaluate the impact on a financial institution’s security program of changing business arrangements and changes to customer information systems; (2) document compliance with these Guidelines; and (3) keep the board informed of the overall status of the institution’s information security program. A few commenters objected to the Agencies assigning specific tasks to management. These commenters did not object to the tasks per se, but suggested that the Agencies allow an institution’s board and management to decide who within the institution is to carry out the tasks. The Agencies agree that a financial institution is in the best position to determine who should be assigned specific roles in implementing the institution’s security program. Accordingly, the Agencies have deleted the separate provision assigning specific roles to management. The responsibilities that were contained in this provision are now included in other paragraphs of the Guidelines. III.B. Assess Risk Paragraph III.B. of the proposal described the risk assessment process to be used in the development of the information security program. Under the proposal, a financial institution was to identify and assess the risks to customer information. As part of that assessment, the institution was to determine the sensitivity of the information and the threats to the institution’s systems. The institution also was to assess the sufficiency of its policies, procedures, systems, and other arrangements in place to control risk. Finally, the institution was to monitor, evaluate, and adjust its risk assessment in light of changes in areas identified in the proposal. The Agencies received several comments on these provisions, most of which focused on the requirement that financial institutions do a sensitivity analysis. One commenter noted that ‘‘customer information’’ is defined to mean ‘‘nonpublic personal information’’ as defined in the G–L-B Act, and that the G–L-B Act provides the same level of coverage for all nonpublic personal information. The commenter stated that it is therefore unclear how the level of sensitivity would affect an institution’s obligations with respect to the security of this information. While the Agencies agree that all customer information requires protection, the Agencies believe that requiring all institutions to afford the same degree of protection to all customer information may be unnecessarily burdensome in many cases. Accordingly, the final Guidelines continue to state that institutions should take into consideration the sensitivity of customer information. Disclosure of certain information (such as account numbers or access codes) might be particularly harmful to customers if the disclosure is not authorized. Individuals w h o try to breach the institution’s security systems may be likely to target this type of information. When such information is housed on systems that are accessible through public telecommunications networks, it may require more and different protections, such as encryption, than if it were located in a locked file drawer. To provide flexibility to respond to these different security needs in the way most appropriate, the Guidelines confer upon institutions the discretion to determine the levels of protection necessary for different categories of information. Institutions may treat all customer information the same, provided that the level of protection is adequate for all the information. Other commenters suggested that the risk assessment requirement be tied to reasonably foreseeable risks. The Agencies agree that the security program should be focused on reasonably foreseeable risks and have amended the final Guidelines accordingly. The final Guidelines make several other changes to this paragraph to improve the order of the Guidelines and to eliminate provisions that were redundant in light of responsibilities outlined elsewhere. For instance, while the proposal stated that the risk assessment function included the need to monitor for relevant changes to technology, sensitivity of customer information, and threats to information security and make adjustments as needed, that function has been incorporated into the discussion of managing and controlling risk in paragraphs III.C.3. and III.E. Thus, under the Guidelines as adopted, a financial institution should identify the reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. Next, the risk assessment should consider the potential damage that a compromise of customer information from an identified threat would have on the customer information, taking into consideration the sensitivity of the information to be protected in assessing the potential damage. Finally, a financial institution 8621 should conduct an assessment of the sufficiency of existing policies, procedures, customer information systems, and other arrangements intended to control the risks it has identified. III.C. Manage and Control Risk Paragraph III.C. describes the steps an institution should take to manage and the control risks identified in paragraph III.B. Establish policies and procedures (III.C.1.). Paragraph III.C.1 of the proposal described the elements of a comprehensive risk management plan designed to control identified risks and to achieve the overall objective of ensuring the security and confidentiality of customer information. It identified eleven factors an institution should consider in evaluating the adequacy of its policies and procedures to effectively manage these risks. The Agencies received a large number of comments on this paragraph. Most of the comments were based on a perception that every institution would have to adopt every security measure listed in proposed III.C.1.a.-k. as part of the institution’s policies and procedures. In particular, a number of commenters were concerned that the proposed Guidelines would require the encryption of all customer data. The Agencies did not intend for the security measures listed in paragraph III.C.1. to be seen as mandatory for all financial institutions and for all data. Rather, the Agencies intended only that an institution would consider whether the protections listed were appropriate for the institution’s particular circumstances, and, if so, adopt those identified as appropriate. The Agencies continue to believe that these elements may be adapted by institutions of varying sizes, scope of operations, and risk management structures. Consistent with that approach, the manner of implementing a particular element may vary from institution to institution. For example, while a financial institution that offers Internet-based transaction accounts may conclude that encryption is appropriate, a different institution that processes all data internally and does not have a transactional web site may consider other kinds of access restrictions that are adequate to maintain the confidentiality of customer information. To underscore this point, the final Guidelines have been amended to state that each financial institution must consider whether the security elements discussed in paragraphs III.C.1.a.-h. are appropriate for the institution and, if so, adopt those 8622 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations elements an institution concludes are appropriate. The Agencies invited comment on the degree of detail that should be included in the Guidelines regarding the risk management program, including which elements should be specified in the Guidelines, and any other components of a risk management program that should be listed. With the exception of those commenters w h o thought some or all of the elements of the risk management program were intended to be mandatory for all financial institutions, the comments supported the level of detail conveyed in the proposed Guidelines. The Agencies have adopted the provision regarding management and control of risks with the changes discussed below. Comments addressing proposed security measures that have been adopted without change also are discussed below. Access rights. The Agencies received a number of comments suggesting that the reference to ‘‘access rights to customer information’’ in paragraph III.C.1.a. of the proposal could be interpreted to mean providing customers with a right of access to financial information. The reference was intended to refer to limitations on employee access to customer financial information, not to customer access to financial information. However, this element has been deleted since limitations on employee access are covered adequately in other parts of paragraph III.C.1. (See discussion of ‘‘access controls’’ in paragraph III.C.1.a. of the final Guidelines, below.) Access controls. Paragraph III.C.1.b. of the proposed Guidelines required a financial institution to consider appropriate access controls when establishing its information security policies and procedures. These controls were intended to address unauthorized access to an institution’s customer information by anyone, whether or not employed by the institution. The Agencies believe that this element sufficiently addresses the concept of unauthorized access, regardless of w h o is attempting to obtain access. This would cover, for instance, attempts through pretext calling to gather information about a financial institution’scustomers.[SeeFootnote11]The Agencies have amended the final Guidelines to refer specifically to pretext calling in new III.C.1.a. The Agencies d o not intend for the final Guidelines to require a financial institution to provide its customers with access to information Footnote11--Pretext calling is a fraudulent means of obtaining an individual’s personal information by persons posing as bank customers.[EndofFootnote11] the institution has gathered. Instead, the provision in the final Guidelines addressing access is limited solely to the issue of preventing unauthorized access to customer information. The Agencies have deleted the reference in the proposed paragraph III.C.1.b. to providing access to authorized companies. This change was made partly in response to commenters w h o objected to what they perceived to be an inappropriate expansion of the scope of the Guidelines to include company records and partly in recognition of the fact that access to records would be obtained, in any case, only through requests by individuals. The final Guidelines require an institution to consider the need for access controls in light of the institution’s various customer information systems and adopt such controls as appropriate. Dual control procedures. Paragraph III.C.1.f. of the proposed Guidelines stated that financial institutions should consider dual control procedures, segregation of duties, and employee background checks for employees with responsibility for, or access to, customer information. Most of the comments on this paragraph focused on dual control procedures, which refers to a security technique that uses two or more separate persons, operating together to protect sensitive information. Both persons are equally responsible for protecting the information and neither can access the information alone. According to one commenter, dual controls are part of normal audit procedures and did not need to be restated. Other commenters suggested that dual control procedures are not always necessary, implying that these procedures are not the norm. The Agencies recognize that dual-control procedures are not necessary for all activities, but might be appropriate for higher-risk activities. Given that the Guidelines state only that dual control procedures should be considered by a financial institution and adopted only if appropriate for the institution, the Agencies have retained a reference to dual control procedures in the items to be considered (paragraph III.C.1.e). Oversight of servicers. Paragraph III.C.1.g. of the proposal was deleted. Instead, the final Guidelines consolidate the provisions related to service providers in paragraph III.D. Physical hazards and technical failures. The paragraphs of the proposed Guidelines addressing protection against destruction d u e to physical hazards and technological failures (paragraphs III.C.1.j. and k., respectively, of the proposal) have been consolidated in paragraph III.C.1.h. of the final Guidelines. The Agencies believe that this change improves clarity and recognizes that disaster recovery from environmental and technological failures often involve the same considerations. Training (III.C.2.). Paragraph III.C.2. of the proposed Guidelines provided that an institution’s information security program should include a training component designed to train employees to recognize, respond to, and report unauthorized attempts to obtain customer information. The Agencies received several comments suggesting that this provision directed staff of financial institutions to report suspected attempts to obtain customer information to law enforcement agencies rather than to the management of the financial institution. The Agencies did not intend that result, and note that nothing in the Guidelines alters other applicable requirements and procedures for reporting suspicious activities. For purposes of these Guidelines, the Agencies believe that, as part of a training program, staff should be made aware both of federal reporting requirements and an institution’s procedures for reporting suspicious activities, including attempts to obtain access to customer information without proper authority. The final Guidelines amend the provision governing training to state that a financial institution’s information security program should include a training component designed to implement the institution’s information security policies and procedures. The Agencies believe that the appropriate focus for the training should be on compliance with the institution’s security program generally and not just on the limited aspects identified in proposed III.C.2. The provisions governing reporting have been moved to paragraph III.C.1.g., which addresses response programs in general. Testing (III.C.3.). Paragraph III.C.3. of the proposed Guidelines provided that an information security program should include regular testing of key controls, systems, and procedures. The proposal provided that the frequency and nature of the testing should be determined by the risk assessment and adjusted as necessary to reflect changes in both internal and external conditions. The proposal also provided that the tests are to be conducted, where appropriate, by independent third parties or staff independent of those that develop or maintain the security program. Finally, the proposal stated that test results are to be reviewed by independent third parties or staff independent of those that Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations conducted the test. The Agencies requested comment on whether specific types of security tests, such as penetration tests or intrusion detection tests, should be required. The most frequent comment regarding testing of key controls was that the Agencies should not require specific tests. Commenters noted that because technology changes rapidly, the tests specified in the Guidelines will become obsolete and other tests will become the standard. Consequently, according to these commenters, the Guidelines should identify areas where testing may be appropriate without requiring a financial institution to implement a specific test or testing procedure. Several commenters noted that periodic testing of information security controls is a sound idea and is an appropriate standard for inclusion in these Guidelines. The Agencies believe that a variety of tests may be used to ensure the controls, systems, and procedures of the information security program work properly and also recognize that such tests will progressively change over time. The Agencies believe that the particular tests that may be applied should be left to the discretion of management rather than specified in advance in these Guidelines. Accordingly, the final Guidelines d o not require a financial institution to apply specific tests to evaluate the key control systems of its information security program. The Agencies also invited comment regarding the appropriate degree of independence that should be specified in the Guidelines in connection with the testing of information security systems and the review of test results. The proposal asked whether the tests or reviews of tests be conducted by persons w h o are not employees of the financial institution. The proposal also asked whether employees may conduct the testing or may review test results, and what measures, if any, are appropriate to assure their independence. Some commenters interpreted the proposal as requiring three separate teams of people to provide sufficient independence to control testing: one team to operate the system; a second team to test the system; and a third team to review test results. This approach, they argued, would be too burdensome and expensive to implement. The Agencies believe that the critical need for independence is between those w h o operate the systems and those w h o either test them or review the test results. Therefore, the final Guidelines now require that tests should be conducted or reviewed by persons w h o are independent of those w h o operate the systems, including the management of those systems. Whether a financial institution should use third parties to either conduct tests or review their results depends upon a number of factors. Some financial institutions may have the capability to thoroughly test certain systems in-house and review the test results but will need the assistance of third party testers to assess other systems. For example, an institution’s internal audit department may be sufficiently trained and independent for the purposes of testing certain key controls and providing test results to decision makers independent of system managers. Some testing may be conducted by third parties in connection with the actual installation or modification of a particular program. In each instance, management needs to weigh the benefits of testing and test review by third parties against its own resources in this area, both in terms of expense and reliability. Ongoing adjustment of program. Paragraph III.C.4. of the proposal required an institution to monitor, evaluate and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information security. This provision was previously located in the paragraph titled ‘‘Manage and Control Risk’’. While there were no comments on this provision, the Agencies wanted to highlight this concept and clarify that this provision is applicable to an institutions’ entire information security program. Therefore, this provision is now separately identified as new paragraph III.E. of the final Guidelines, discussed below. III.D. Oversee Service Provider Arrangements The Agencies’ proposal addressed service providers in two provisions. The Agencies provided that an institution should consider contract provisions and oversight mechanisms to protect the security of customer information maintained or processed by service providers as one of the proposed elements to be considered in establishing risk management policies and procedures (proposed paragraph III.C.1.g.). Additionally, proposed paragraph III.D. provided that, when an institution uses an outsourcing arrangement, the institution would continue to be responsible for safeguarding customer information that it gives to the service provider. That proposed paragraph also provided that 8623 the institution must use due diligence in managing and monitoring the outsourcing arrangement to confirm that its service providers would protect customer information consistent with the Guidelines. The Agencies requested comment on the appropriate treatment of outsourcing arrangements, such as whether industry best practices are available regarding effective monitoring of service provider security precautions, whether service providers accommodate requests for specific contract provisions regarding information security, and, to the extent that service providers d o not accommodate these requests, whether financial institutions implement effective information security programs. The Agencies also requested comment on whether institutions would find it helpful if the Guidelines contained specific contract provisions requiring service provider performance standards in connection with the security of customer information. The Agencies received one example of best practices, but the commenter did not recommend that they be included in the Guidelines. While some commenters suggested that the Guidelines include best practices, other commenters stated that, given the various types of financial institutions, there could be a variety of best industry practices. Another commenter stated that best practices could become minimum requirements that result in inappropriate burdens. The Agencies recognize that information security practices are likely to evolve rapidly, and thus believe that it is inappropriate to include best practices in the final Guidelines. Commenters were mixed as to whether service providers are receptive to contract modifications to protect customer information. Commenters were uniform, however, in stating that an institution’s obligation to monitor service providers should not include onsite audits by the institution or its agent. The commenters stated that, in addition to the expense for financial institutions, the procedure would place an inordinate burden on many service providers that process customer information for multiple institutions. Several commenters noted that the service providers often contract for audits of their systems and that institutions should be able to rely upon those testing procedures. Some commenters recommended that an institution’s responsibility for information given to service providers require only that the institution enter into appropriate contractual arrangements. However, commenters also indicated that requiring specific 8624 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations contract provisions would not be consistent with the development of flexible Guidelines and recommended against the inclusion of specific provisions. The Agencies believe that financial institutions should enter into appropriate contracts, but also believe that these contracts, alone, are not sufficient. Therefore, the final Guidelines, in paragraph III.D., include provisions relating to selecting, contracting with, and monitoring service providers. The final Guidelines require that an institution exercise appropriate d u e diligence in the selection of service providers. Due diligence should include a review of the measures taken by a service provider to protect customer information. As previously noted in the discussion of ‘‘service provider’’, it also should include a review of the controls the service provider has in place to ensure that any subservicer used by the service provider will be able to meet the objectives of these Guidelines. The final Guidelines also require that a financial institution have a contract with each of its service providers that requires each provider to implement appropriate measures designed to meet the objectives of these Guidelines (as stated in paragraph II.B.). This provision does not require a service provider to have a security program in place that complies with each paragraph of these Guidelines. Instead, by stating that a service provider’s security measures need only achieve the objectives of these Guidelines, the Guidelines provide flexibility for a service provider’s information security measures to differ from the program that a financial institution implements. The Agencies have provided a two-year transition period during which institutions may bring their outsourcing contracts into compliance. (See discussion of paragraph III.F.) The Agencies have not included model contract language, given our belief that the precise terms of service contracts are best left to the parties involved. Each financial institution must also exercise an appropriate level of oversight over each of its service providers to confirm that the service provider is implementing the provider’s security measures. The Agencies have amended the Guidelines as proposed to include greater flexibility with regard to the monitoring of service providers. A financial institution need only monitor its outsourcing arrangements if such oversight is indicated by an institution’s own risk assessment. The Agencies recognize that not all outsourcing arrangements will need to be monitored or monitored in the same fashion. Some service providers will be financial institutions that are directly subject to these Guidelines or other standards promulgated by their primary regulator under section 501(b). Other service providers may already be subject to legal and professional standards that require them to safeguard the institution’s customer information. Therefore, the final Guidelines permit an institution to d o a risk assessment taking these factors into account and determine for themselves which service providers will need to be monitored. Even where monitoring is warranted, the Guidelines d o not require on-site inspections. Instead, the Guidelines state that this monitoring can be accomplished, for example, through the periodic review of the service provider’s associated audits, summaries of test results, or equivalent measures of the service provider. The Agencies expect that institutions will arrange, when appropriate, through contracts or otherwise, to receive copies of audits and test result information sufficient to assure the institution that the service provider implements information security measures that are consistent with its contract provisions regarding the security of customer information. The American Institute of Certified Public Accountants Statement of Auditing Standards No. 70, captioned ‘‘Reports on the Processing of Transactions by Service Organizations’’ (SAS 70 report), is one commonly used external audit tool for service providers. Information contained in an SAS 70 report may enable an institution to assess whether its service provider has information security measures that are consistent with representations made to the institution during the service provider selection process. III.E. Adjust the Program Paragraphs III.B.3 and III.C.4. of the proposed Guidelines both addressed a financial institution’s obligations when circumstances change. Both paragraph III.B.3. (which set forth management’s responsibilities with respect to its risk assessment) and paragraph III.C.4. (which focused on the adequacy of an institution’s information security program) identified the possible need for changes to an institution’s program in light of relevant changes to technology, the sensitivity of customer information, and internal or external threats to the information security. The Agencies received n o comments objecting to the statements in these paragraphs of the need to adjust a financial institution’s program as circumstances change. While the Agencies have not changed the substance of these provisions in the final Guidelines, we have, however, made a stylistic change to simplify the Guidelines. The final Guidelines combine, in paragraph III.E., the provisions previously stated separately. Consistent with the proposal, this paragraph provides that each financial institution must monitor, evaluate, and adjust its information security program in light of relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the institution’s own changing business arrangements. This would include an analysis of risks to customer information posed by new technology (and any needed program adjustments) before a financial institution adopts the technology in order to determine whether a security program remains adequate in light of the new risks presented.[See Footnote 12] III.F. Report to the Board Paragraph III.A.2.c. of the proposal set out management’s responsibilities for reporting to its board of directors. As previously discussed, the final Guidelines have removed specific requirements for management, but instead allow a financial institution to determine w h o within the organization should carry out a given responsibility. The board reporting requirement thus has been amended to require that a financial institution report to its board, and that this report be at least annual. Paragraph III.F. of the final Guidelines sets out this requirement. The Agencies invited comment regarding the appropriate frequency of reports to the board, including whether reports should be monthly, quarterly, or annually. The Agencies received a number of comments recommending that n o specific frequency be mandated by the Guidelines and that each financial institution be permitted to establish its own reporting period. Footnote12--For additional information concerning how a financial institution should identify, measure, monitor, and control risks associated with the use of technology, see OCC Bulletin 98–3 concerning technology risk management, which may be obtained on the Internet at http:// www.occ.treas.gov/ftp/bulletin/98–3.txt.; Federal Reserve SR Letter 98–9 on Assessment of Information Technology in the Risk-Focused Frameworks for the Supervision of Community Banks and Large Complex Banking Organizations, April 20, 1998, http://www.federalreserve.gov/ boarddocs/SRLETTERS/1998/SR9809.HTM; FDIC FIL 99–68 concerning risk assessment tools and practices for information security systems at http:/ /www.fdic.gov/news/news/financial/1999/ fil9968.html.; OTS’s CEO Letter 70, Statement on Retail On-Line Personal Computer Banking, (June 23, 1997), available at http://www.ots.treas.gov/ docs/25070.pdf.[EndofFootnote12] Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations Several commenters stated that if a reporting period is required, then it should be not less than annually unless some material event triggers the need for an interim report. The Agencies expect that in all cases, management will provide its board (or the appropriate board committee) a written report on the information security program consistent with the Guidelines at least annually. Management of financial institutions with more complex information systems may find it necessary to provide information to the board (or a committee) on a more frequent basis. Similarly, more frequent reporting will be appropriate whenever a material event affecting the system occurs or a material modification is made to the system. The Agencies expect that the content of these reports will vary for each financial institution, depending upon the nature and scope of its activities as well as the different circumstances that it will confront as it implements and maintains its program. III.G. Implement the Standards Paragraph III.E. of the proposal described the timing requirements for the implementation of these standards. It provided that each financial institution is to take appropriate steps to fully implement an information security program pursuant to these Guidelines by July 1, 2001. The Agencies received several comments suggesting that the proposed effective date be extended for a period of 12 to 18 months because financial institutions are currently involved in efforts to meet the requirements of the final Privacy Rule by the compliance deadline, July 1, 2001. The Agencies believe that the dates for full compliance with these Guidelines and the Privacy Rule should coincide. Financial institutions are required, as part of their initial privacy notices, to disclose their policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. See § .6(a)(8). Each Agency has provided in the appendix to its Privacy Rule that a financial institution may satisfy this disclosure requirement by advising its customers that the institution maintains physical, electronic, and procedural safeguards that comply with federal standards to guard customers’ nonpublic personal information. See appendix A-7. The Agencies believe that this disclosure will be meaningful only if the final Guidelines are effective when the disclosure is made. If the effective date of these Guidelines is extended beyond July 1, 2001, then a financial institution may be placed in the position of providing an initial notice regarding confidentiality and security and thereafter amending the privacy policy to accurately refer to the federal standards once they became effective. For these reasons, the Agencies have retained July 1, 2001, as the effective date for these Guidelines. However, the Agencies have included a transition rule for contracts with service providers. The transition rule, which parallels a similar provision in the Privacy Rule, provides a two-year period for grandfathering existing contracts. Thus a contract entered into on or before the date that is 30 days after publication of the final Guidelines in the Federal Register satisfies the provisions of this part until July 1, 2003, even if the contract does not include provisions delineating the servicer’s duties and responsibilities to protect customer information described in paragraph III.D. Location of Guidelines: These guidelines have been published as an appendix to each Agency’s Standards for Safety and Soundness. For the OCC, those regulations appear at 12 CFR part 30; for the Board, at 12 CFR part 208; for the FDIC, at 12 CFR part 364; and for the OTS, at 12 CFR part 570. The Board also is amending 12 CFR parts 211 and 225 to apply the Guidelines to other institutions that it supervises. The Agencies will apply the rules already in place to require the submission of a compliance plan in appropriate circumstances. For the OCC, those regulations appear at 12 CFR part 30; for the Board at 12 CFR part 263; for the FDIC at 12 CFR part 308, subpart R; and for the OTS at 12 CFR part 570. The final rules make conforming changes to the regulatory text of these parts. Rescission of Year 2000 Standards for Safety and Soundness: The Agencies previously issued guidelines establishing Year 2000 safety and soundness standards for insured depository institutions pursuant to section 39 of the FDI Act. Because the events for which these standards were issued have passed, the Agencies have concluded that the guidelines are n o longer necessary and proposed to rescind the standards as part of this rulemaking. The Agencies requested comment on whether rescission of these standards is appropriate. Those commenters responding to this request were unanimous in recommending the rescission of the Year 2000 Standards, and the Agencies have rescinded these standards. These standards appeared for the OCC at 12 CFR part 30, appendix B and C; for the Board at 12 CFR part 208, appendix D–2; for the FDIC at 12 CFR 8625 part 364, appendix B; and for the OTS at 12 CFR part 570, appendix B. Accordingly, the Agencies hereby rescind the Year 2000 Standards for Safety and Soundness, effective thirty (30) days after the publication date of this notice of the joint final rule. IV. Regulatory Analysis A. Paperwork Reduction Act The Agencies have determined that this rule does not involve a collection of information pursuant to the provisions of the Paperwork Reduction Act (44 U.S.C. 3501 et seq.). B. Regulatory Flexibility Act OCC: Under the Regulatory Flexibility Act (RFA), the OCC must either provide a Final Regulatory Flexibility Analysis (FRFA) with these final Guidelines or certify that the final Guidelines ‘‘will not, if promulgated’’, have a significant economic impact on a substantial number of smallentities.[SeeFootnote13]The OCC has evaluated the effects of these Guidelines on small entities and is providing the following FRFA. Although the OCC specifically sought comment on the costs to small entities of establishing and operating information security programs, n o commenters provided specific cost information. Instead, commenters confirmed the OCC’s conclusion that most if not all institutions already have information security programs in place, because the standards reflect good business practices and existing OCC and FFIEC guidance. Some comments indicated, however, that institutions will have to formalize or enhance their information security programs. Accordingly, the OCC considered certifying, under section 605(b) of the RFA, that these Guidelines will not have a significant economic impact on a substantial number of small entities. However, given that the guidance previously issued by the OCC and the FFIEC is not completely identical to the Guidelines being adopted in this rulemaking, the Guidelines are likely to have some impact on all affected institutions. While the OCC believes that this impact will not be substantial in the case of most small entities, we nevertheless have prepared the following FRFA. Footnote13--The RFA defines the term ‘‘small entity’’ in 5 U.S.C. 601 by reference to a definition published by the Small Business Administration (SBA). The SBA has defined a ‘‘small entity’’ for banking purposes as a national or commercial bank, or savings institution with less than $100 million in assets. See 13 CFR 121.201.[EndofFootnote13] 8626 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations 1. Reasons for Final Action The OCC is issuing these Guidelines under section 501(b) of the G–L–B Act. Section 501(b) requires the OCC to publish standards for financial institutions subject to its jurisdiction relating to administrative, technical and physical standards to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. 2. Objectives of and Legal Basis for Final Action The objectives of the Guidelines are described in the Supplementary Information section above. The legal bases for the Guidelines are: 12 U.S.C. 93a, 1818, 1831p–1, and 3102(b) and 15 USC 6801 and 6805(b)(1). 3 . Small Entities to Which the Rule Will Apply The OCC’s final Guidelines will apply to approximately 2300 institutions, including national banks, federal branches and federal agencies of foreign banks, and certain subsidiaries of such entities. The OCC estimates that approximately 1125 of these institutions are small institutions with assets less than $100 million. 4. Projected Reporting, Recordkeeping, and Other Compliance Requirements; Skills Required The Guidelines do not require any reports to the OCC, however, they require all covered institutions to develop and implement a written information security program comprised of several elements. Institutions must assess the risks to their customer information and adopt appropriate measures to control those risks. Institutions must then test these security measures and adjust their information security programs in light of any relevant changes. In addition, institutions must use appropriate d u e diligence in selecting service providers, and require service providers, by contract, to implement appropriate security measures. The Guidelines also require institutions to monitor their service providers, where appropriate, to confirm they have met their contractual obligations. Finally, the Guidelines require the board of directors or an appropriate committee of the board of each institution to approve the institution’s information security program and to oversee its implementation. To facilitate board oversight, the institution must provide to the board or to the board committee a report, at least annually, describing the overall status of the institution’s information security program and the institution’s compliance with the Guidelines. Because the information security program described above reflects existing supervisory guidance, the OCC believes that most institutions already have the expertise to develop, implement, and maintain the program. However, if they have not already done so, institutions will have to retain the services of someone capable of assessing threats to the institution’s customer information. Institutions that lack an adequate information security program also will have to have personnel capable of developing, implementing and testing security measures to address these threats. Institutions that use service providers may require legal skills to draft appropriate language for contracts with service providers. 5. Public Comment and Significant Alternatives The OCC did not receive any public comment on its initial regulatory flexibility analysis, although it did receive comments on the proposed Guidelines, and on the impact of the Guidelines on small entities in particular. The comments received by the OCC and the other Agencies are discussed at length in the supplementary information above. While some commenters suggested that the OCC exempt small institutions altogether, the OCC has n o authority under the statute to d o so. The discussion below reviews the changes adopted in the final Guidelines that will minimize the economic impact of the Guidelines on all businesses. The OCC carefully considered comments from small entities that encouraged the Agencies to issue guidelines that are not overly prescriptive, that provide flexibility in the design of an information security program, but that still provide small entities with some guidance. After considering these comments, the OCC determined that it is appropriate to issue the standards as Guidelines that allow each institution the discretion to design an information security program that suits its particular size and complexity and the nature and scope of its activities. The OCC considered issuing broader Guidelines that would only identify objectives to be achieved while leaving it u p to each institution to decide what steps it should take to ensure that it meets these objectives. However, the OCC concluded that such broad guidance ultimately would be less helpful than would be guidelines that combine the flexibility sought by commenters with meaningful guidance on factors that an institution should consider and steps that the institution should take. The OCC also considered the utility of more prescriptive guidelines, but rejected that approach out of concern that it likely would be more burdensome, could interfere with innovation, and could impose requirements that would be inappropriate in a given situation. While the Guidelines are not overly detailed, they provide guidance by establishing the process an institution will need to follow in order to protect its customer information and by identifying security measures that are likely to have the greatest applicability to national banks in general. Most commenters supported the use of the more narrow definition of ‘‘customer’’ in the Guidelines as is used in the Privacy Rule rather than a broad definition that would apply to all records under the control of a financial institution. Commenters maintained that two different definitions would be confusing and also inconsistent with the use of the term ‘‘customer’’ in section 501 of the G–L-B Act. The OCC considered using the broader definition, but determined that information security could be addressed more broadly through other vehicles. For the sake of consistency, the final Guidelines adopt the narrower definition and apply only to records of consumers who have established a continuing relationship with an institution under which the institution provides one or more financial products or services to the consumer to be used primarily for personal, family or household purposes, the definition used in the Privacy Rule. Many commenters criticized the list of proposed objectives for each financial institution’s information security program which generally reflected the statutory objectives in section 501(b). According to these comments, the objectives were stated in a manner that made them absolute, unachievable, and therefore burdensome. The final Guidelines have been drafted to clarify these objectives by stating that each security program is to be ‘‘designed’’ to accomplish the objectives stated. Commenters wanted board involvement in the development and implementation of an information security program left to the discretion of the financial institution. Commenters also asked the OCC to clarify that the board may delegate to a committee responsibility for involvement in the Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations institution’s security program. While the final Guidelines as drafted continue to place responsibility on an institution’s board to approve and exercise general oversight over the program, they now clarify that a committee of the board may approve the institution’s written security program. In addition, the Guidelines permit the board to assign specific implementation responsibilities to a committee or an individual. The OCC considered requiring an institution to designate a Corporate Security Officer. However, the agency agreed with commenters that a financial institution is in the best position to determine w h o should be assigned specific roles in implementing the institution’s security program. Therefore, the Guidelines d o not include this requirement. The proposal identifying various security measures that an institution should consider in evaluating the adequacy of its policies and procedures was criticized by many commenters. These commenters misinterpreted the list of measures and believed each measure to be mandatory. Small entities commented that these measures were overly comprehensive and burdensome. As discussed previously in the preamble, the OCC did not intend to suggest that every institution must adopt every one of the measures. To highlight the OCC’s intention that an institution must determine for itself which measures will be appropriate for its own risk profile, the final Guidelines now clearly state that each financial institution must consider whether the security elements listed are appropriate for the institution and, if so, adopt those elements an institution concludes are appropriate. Commenters noted that testing could be burdensome and costly, especially for small entities. The OCC considered mandating specific tests, but determined that with changes in technology, such tests could become obsolete. Therefore, the final Guidelines permit management to exercise its discretion to determine the frequency and types of tests that need to be conducted. The OCC considered required testing or the review of tests to be conducted by outside auditors. The OCC determined that these duties could be performed effectively by an institution’s own staff, if staff selected is sufficiently independent. Therefore, the Guidelines permit financial institutions to determine for themselves whether to use third parties to either conduct tests or review their results or to use staff independent of those that develop or maintain the institution’s security program. Many commenters objected to provisions in the proposal requiring institutions to monitor their service providers. Commenters asserted that it would be burdensome to require them to monitor the activities of their service providers and that information security of service providers should be handled through contractual arrangements. The final Guidelines include greater flexibility with regard to the monitoring of service providers than was provided in the proposal. The final Guidelines recognize that some service providers will be financial institutions that are directly subject to these Guidelines or other standards promulgated under section 501(b) and that other service providers may already be subject to legal and professional standards that require them to safeguard the institution’s customer information. Therefore, the final Guidelines permit an institution to d o a risk assessment taking these factors into account and to determine for themselves which service providers will need to be monitored. Where monitoring is warranted, the Guidelines now specify that monitoring can be accomplished, for example, through the periodic review of the service provider’s associated audits, summaries of test results, or equivalent measures of the service provider. In addition, after considering the comments about contracts with service providers and the effective date of the Guidelines, the OCC also adopted a transition rule, similar to a provision in the Privacy Rule, that grandfathers existing contracts for a two-year period. One commenter requested that smaller community banks be given additional time to comply with the Guidelines because having to comply with the new Privacy Rule and these Guidelines will put a strain on the resources of smaller banks. The OCC considered this request but did not change the effective date of the Guidelines given the importance of safeguarding customer information. In addition, most institutions already have information security programs in place, and the OCC has addressed this concern by adding flexibility to the final Guidelines in a variety of other areas as described above. Board: The Regulatory Flexibility Act (5 U.S.C. 604) requires an agency to publish a final regulatory flexibility analysis when promulgating a final rule that was subject to notice and comment. Need for and objectives of Guidelines: As discussed above, these Guidelines implement section 501 of the GLB Act. The objective of the Guidelines is to establish standards for financial institutions that are subject to the 8627 Board’s jurisdiction to protect the security and confidentiality of their customers’ information. In particular, the Guidelines require those financial institutions to implement a comprehensive written information security program that includes: (1) Assessing the reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information; (2) Adopting security measures that the financial institution concludes are appropriate for it; and (3) Overseeing its arrangements with its service provider(s). Comments on the initial regulatory flexibility analysis: Although few commenters addressed the initial regulatory flexibility analysis specifically, many commenters addressed the regulatory burdens that were discussed in that analysis. Several commenters noted that certain aspects of the proposal may tax the comparatively limited resources of small institutions, yet few commenters quantified the potential costs of compliance. The comments received by the Board and the other Agencies were discussed in the supplementary information above. Those comments that are closely related to regulatory burden are highlighted below: The Board requested comment on the scope of the term ‘‘customer’’ for purposes of the Guidelines. Many commenters opposed expanding the proposed scope of the Guidelines to apply to information about business customers and consumers w h o have not established continuing relationships with the financial institution. The commenters stated that an expanded scope would impose higher costs of developing an information security program and would be inconsistent with the use of the term ‘‘customer’’ in section 501 of the GLB Act and the Agencies’ Privacy Rule. As explained in the supplementary information above, the Board has defined ‘‘customer’’ in the final Guidelines in the same way as that term is defined in section l . 3 ( h ) of the Agencies’ Privacy Rule. Many commenters urged the Board to reduce the level of detail about the kinds of measures that would be required to implement an information security program under the proposed Guidelines. Commenters argued, for instance, that requiring particular testing procedures of security systems would make the standards too onerous for those institutions for which other kinds of tests and audits would be more suitable. In a similar vein, some commenters proposed that the Board 8628 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations should issue examples that would illustrate the kinds of security measures that, if adopted, would constitute compliance with the Guidelines. The Board believes that many commenters may have misinterpreted the intent of the original proposal regarding the particular safeguards that would be expected. The provision that requires each financial institution to consider a variety of security measures has been redrafted in an effort to clarify that the institution must determine for itself which measures will be appropriate to its own risk profile. Although an institution is required to consider each of the security measures listed in paragraph III.C.1., it is not obligated to incorporate any particular security measures or particular testing procedures into its information security program. Rather, the institution may adopt those measures and use those tests that it concludes are appropriate. The Board is mindful that institutions’ operations will vary in their complexity and scope of activities and present different risk profiles to their customer information. Accordingly, the Board has not established definitive security measures that, if adopted, would constitute compliance with the Guidelines. The Board asked for comments on several issues related to the appropriate security standards pertaining to an institution’s arrangements with its service providers. As discussed above, many comments addressed these issues and, notably, objected to a provision that would require an institution to monitor its service providers through on-site audits. Several commenters noted that the service providers often contract for audits of their systems and argued that an institution should be able to rely upon those testing procedures. Commenters also recommended that an institution’s responsibility for information given to service providers require only that the institution enter into appropriate contractual arrangements. The Board has modified the Guidelines to clarify an institution’s responsibilities with respect to service providers. The Board has not designed a standard that would require a financial institution to conduct an onsite audit of its service provider’s security program. Instead, the Board adopted a standard that requires an institution to monitor its service provider to confirm that it has satisfied its contractual obligations, depending upon the institution’s risk assessment. In the course of conducting its risk assessment and determining which service providers will need to be monitored, an institution may take into account the fact that some of its service providers may be financial institutions that are directly subject to these Guidelines or other standards promulgated by their primary regulator under section 501(b). Furthermore, after considering the comments about contracts with service providers and the effective date of the Guidelines, the Board also adopted a transition rule, which parallels a similar provision in the Privacy Rule, that provides a twoyear period for grandfathering existing contracts. Many commenters addressed the burdens that would be imposed by the proposal d u e to the effective date and urged the Board to extend the proposed July 1, 2001, effective date for period ranging from one to two years. Most of these commenters argued that complying with the proposed Guidelines by July 1, 2001, would place a considerable burden on their businesses, particularly because the Guidelines would mandate changes to computer software, employee training, and compliance systems. As discussed above, the Board believes that the dates for full compliance with these Guidelines and the Privacy Rule should coincide. Financial institutions are required, as part of their initial privacy notices, to describe their policies and practices with respect to protecting the confidentiality and security of nonpublic personal information (12 CFR 216.6). The Board believes that if the effective date of these Guidelines is extended beyond July 1, 2001, then a financial institution may be placed in the position of providing an initial notice regarding confidentiality and security and thereafter amending the privacy policy to accurately refer to the federal standards once they became effective. Accordingly, the Board has adopted the proposed effective date of July 1, 2001. Institutions covered. The Board’s final Guidelines will apply to approximately 9,500 institutions, including state member banks, bank holding companies and certain of their nonbank subsidiaries or affiliates, state uninsured branches and agencies of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and Agreement corporations. The Board estimates that over 4,500 of the institutions are small institutions with assets less than $100 million. New compliance requirements. The final Guidelines contain new compliance requirements for all covered institutions, many of which are contained in existing supervisory guidance and examination procedures. Nonetheless, each must develop and implement a written information security program. As part of that program, institutions will be required to assess the reasonably foreseeable risks, taking into account the sensitivity of customer information, and assess the sufficiency of policies and procedures in place to control those risks. Institutions that use third party service providers to process customer information must exercise appropriate due diligence in selecting them, require them by contract to implement appropriate measures designed to meet the objectives of these Guidelines, and depending upon the institution’s risk assessment, monitor them to confirm that they have satisfied their contractual obligations. As part of its compliance measures, an institution may need to train its employees or hire individuals with professional skills suitable to implementing the policies and procedures of its information security program, such as those skills necessary to test or review tests of its security measures. Some institutions may already have programs that meet these requirements, but others may not. Minimizing impact on small institutions. The Board believes the requirements of the Act and these Guidelines may create additional burden for some small institutions. The Guidelines apply to all covered institutions, regardless of size. The Act does not provide the Board with the authority to exempt a small institution from the requirement of implementing administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Although the Board could develop different guidelines depending on the size and complexity of a financial institution, the Board believes that differing treatment would not be appropriate, given that one of the stated purposes of the Act is to protect the confidentiality and security of customers’ nonpublic personal information. The Board believes that the compliance burden is minimized for small institutions because the Guidelines expressly allow institutions to develop security measures that are ‘‘appropriate to the size and complexity of the [institution]’’. The Guidelines d o not mandate any particular policies, procedures, or security measures for any institution other than general requirements, such as to ‘‘train staff’’ or ‘‘monitor its service providers to confirm that they have satisfied their [contractual] obligations’’. The Board believes that the final Guidelines vest a small institution with a broad degree of discretion to design and implement an Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations information security program that suits Statement of the Need and Objectives of its own organizational structure and risk the Rule profile. The final Guidelines implement the FDIC: The Regulatory Flexibility Act provisions of Title V, Subtitle A, Section (5 U.S.C. 601–612) (RFA) requires, 501 of the GLBA addressing standards for safeguarding customer information. subject to certain exceptions, that Section 501 requires the Agencies to federal agencies prepare an initial publish standards for financial regulatory flexibility analysis (IRFA) institutions relating to administrative, with a proposed rule and a final technical, and physical standards to: regulatory flexibility analysis (FRFA) with a final rule, unless the agency Insure the security and confidentiality of certifies that the rule will not have a customer records and information. significant economic impact on a Protect against any anticipated threats or 14] hazards to the security or integrity of such substantial number of smallentities.[SeeFootnote records. At the time of issuance of the proposed Protect against unauthorized access to or Guidelines, the FDIC could not make use of such records or information, which such a determination for certification. could result in substantial harm or Therefore, the FDIC issued an IRFA inconvenience to any customer. pursuant to section 603 of the RFA. The final Guidelines d o not represent After reviewing the comments any change in the policies of the FDIC; submitted in response to the proposed rather they implement the G–L–B Act Guidelines, the FDIC believes that it requirement to provide appropriate does not have sufficient information to standards relating to the security and determine whether the final Guidelines confidentiality of customer records. would have a significant economic Summary of Significant Issues Raised impact on a substantial number of small by the Public Comments; Description of entities. Hence, pursuant to section 604 Steps the Agency Has Taken in of the RFA, the FDIC provides the Response to the Comments to Minimize following FRFA. the Significant Economic Impact on This FRFA incorporates the FDIC’s Small Entities. initial findings, as set forth in the IRFA; In the IRFA, the FDIC specifically addresses the comments submitted in requested information on whether small response to the IRFA; and describes the entities would be required to amend steps the FDIC has taken in the final their operations in order to comply with rule to minimize the impact on small the final Guidelines and the costs for entities, consistent with the objectives such compliance. The FDIC also of the Gramm-Leach-Bliley Act (G–L–B requested comment or information on Act). Also, in accordance with section the costs of establishing information 212 of the Small Business Regulatory security programs. The FDIC also sought Enforcement Fairness Act of 1996 comment on any significant alternatives, (Public Law 104–121), in the near future consistent with the G–L–B Act that the FDIC will issue a compliance guide would minimize the impact on small to assist small entities in complying entities. The FDIC received a total of 6 3 with these Guidelines. comment letters. However, none of the comment letters specifically addressed Small Entities to Which the Guidelines the initial regulatory flexibility act Will Apply section of the proposed Guidelines. Instead, many commenters, representing The final Guidelines will apply to all banks of various sizes, addressed the FDIC-insured state-nonmember banks, regulatory burdens in connection with regardless of size, including those with their discussion of specific Guideline assets of under $100 million. As of September 2000, there were 3,331 small provisions. The FDIC has sought to minimize the banks out of a total of 5,130 FDICburden on all businesses, including insured state-nonmember banks with small entities, in promulgating this final assets of under $100 million. Title V, Guidelines. The statute does not Subtitle A, of the GLBA does not authorize the FDIC to create exemptions provide either an exception for small banks or statutory authority upon which from the G–L–B Act based on an institution’s asset size. However, the the FDIC could provide such an FDIC carefully considered comments exception in the Guidelines. regarding alternatives designed to Footnote 1 4 - The RFA defines the term ‘‘small entity’’ in 5 minimize the economic and overall burden of complying with the final U.S.C. 601 by reference to definitions published by the Small Business Administration (SBA). The SBA Guidelines. The discussion below has defined a ‘‘small entity’’ for banking purposes reviews some of the significant changes as a national or commercial bank, or savings adopted in the final Guidelines to institution with less than $100 million in assets. accomplish this purpose. See 13 CFR 121.201.[EndofFootnote14] 8629 1. Issue the Rule as Guidelines or Regulations. The FDIC sought comment on whether to issue the rule as Guidelines or as regulations. All the comment letters stated that the rule should be issued in the form of Guidelines. Some community banks stated that the Guidelines were unnecessary because they already have information security programs in place but would prefer Guidelines to regulations. The commentary supported the use of Guidelines because guidelines typically provide more flexibility than regulations. Since technology changes rapidly, Guidelines would allow institutions to adapt to a changing environment more quickly than regulations, which may become outdated. The FDIC has issued these standards as Guidelines. The final Guidelines establish standards that will allow each institution the flexibility to design an information security program to accommodate its particular level of complexity and scope of activities. 2. Definition of Customer. In the proposed Guidelines, the FDIC defined ‘‘customer’’ in the same manner as in the Privacy Rule. A ‘‘customer’’ is defined as a consumer w h o has established a continuing relationship with an institution under which the institution provides one or more financial products or services to the consumer to be used primarily for personal, family, or household purposes. This definition does not include a business or a consumer w h o does not have an ongoing relationship with a financial institution. Almost all of the comments received by the FDIC agreed with the proposed definition and agreed that the definition should not be expanded to provide a common information security program for all types of records under the control of a financial institution. The Guidelines will apply only to consumer records as defined by the Privacy Rule, not business records. This will allow for a consistent interpretation of the term ‘‘customer’’ between the Guidelines and the Privacy Rule. 3. Involvement of the Bank’s Board of Directors. The FDIC sought comment on how frequently management should report to the board of directors concerning the bank’s information security program. Most of the comment letters stated that the final Guidelines should not dictate how frequently the bank reports to the board of directors and that the bank should have discretion in this regard. The comment letters clearly conveyed a preference to not have a reporting requirement. However, if there was to be one, commenters suggested that it be annual. 8630 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations The Agencies have amended the Guidelines to require that a bank report at least annually to its board of directors. However, more frequent reporting will be necessary if a material event affecting the information security system occurs or if material modifications are made to the system. 4. Designation of Corporate Information Security Officer. The Agencies considered whether the Guidelines should require that the bank’s board of directors designate a ‘‘Corporate Information Security Officer’’ with the responsibility to develop and administer the bank’s information security program. Most of the comment letters requested that this requirement not be adopted because adding a new personnel position would be financially burdensome. The FDIC agrees that a new position with a specific title is not necessary. The final Guidelines do, however, require that the authority for the development, implementation, and administration of the bank’s information security program be clearly expressed although not assigned to a particular individual. 5. Managing and Controlling Risk. Many comments focused on the eleven factors in the proposed Guidelines that banks should consider when evaluating the adequacy of their information security programs. The Agencies did not intend to mandate the security measures listed in section III.C. of the proposed Guidelines for all banks and all data. Instead the Agencies believe the security measures should be followed as appropriate for each bank’s particular circumstances. Some concern was expressed that the proposed Guidelines required encryption of all customer information. The FDIC believes that a bank that has Internet-based transaction accounts or a transactional Web site may decide that encryption is appropriate, but a bank that processes all data internally may need different access restrictions. While a bank is to consider each element in section III.C. in the design of its information security program, this is less burdensome than a requirement to include each element listed that section. The proposed Guidelines provided that institutions train employees to recognize, respond to, and report suspicious attempts to obtain customer information directly to law enforcement agencies and regulatory agencies. Some comment letters stated that suspicious activity should be reported to management, not directly to law enforcement agencies and regulatory agencies. The FDIC believes employees should be made aware of federal reporting requirements and an institution’s procedures for reporting suspicious activity. However, the Guidelines have been amended to allow financial institutions to decide w h o is to file a report to law enforcement agencies, consistent with other applicable regulations. A significant number of comments stated that the FDIC should not require specific tests to ensure the security and confidentiality of customer information. Some comments stated that periodic testing is appropriate. The final Guidelines do not specify particular tests but provide that management should decide on the appropriate testing. Also, the final Guidelines require tests to be conducted or reviewed by people independent of those w h o operate the systems. Further, banks must review their service provider’s security program to determine that it is consistent with the Guidelines. However, the final Guidelines do not require on-site inspections. 6. Effective Date. The effective date for the final Guidelines is July 1, 2001. As discussed in the section-by-section analysis, many of the comment letters urged the FDIC to extend the effective date of the Guidelines, particularly since this is the effective date for complying with the Privacy Rule. Several of the comments suggested the proposed effective date be extended for 12 to 18 months. However, the FDIC believes that the effective date for the Guidelines and the Privacy Rule should coincide. The Privacy Rule requires a financial institution to disclose to its customers that the bank maintains physical, electronic, and procedural safeguards to protect customers’ nonpublic personal information. Appendix A of the Privacy Rule provides that this disclosure may refer to these federal guidelines. This is only meaningful if the final Guidelines for safeguarding customer information are effective when the disclosure is made. The Guidelines do provide a transition rule for contracts with service providers—essentially allowing a twoyear compliance period for service provider contracts. A contract entered into on or before March 5, 2001, satisfies the provisions of this part until July 1, 2003, even if the contract does not include provisions delineating the servicer’s duties and responsibilities to protect customer information described in section III.D. This additional time will allow financial institutions to make all necessary changes to service provider contracts and to comply with this segment of the Guidelines. Summary of the Agency Assessment of Issues Raised in Public Comments Most of the comment letters did not discuss actual compliance costs for implementing the provisions of the Guidelines. Some commenters stated that their bank has an established information security program and that information security is a customary business practice. The new compliance and reporting requirements will create additional costs for some institutions. These costs include: (1) Training staff; (2) monitoring outsourcing agreements; (3) performing due diligence before contracting with a service provider; (4) testing security systems; and (5) adjusting security programs d u e to technology changes. The comments did not provide data from which the FDIC could quantify the cost of implementing the requirements of the GLBA. The compliance costs will vary among institutions. Description/Estimate of Small Entities To Which the Guidelines Will Apply The Guidelines will apply to approximately 3,300 FDIC insured State nonmember banks that are small entities (assets less than $100 million) as defined in the RFA. Description of Projected Reporting, Record-Keeping, and Other Compliance Requirements The final Guidelines contain standards for the protection of customer records and information that apply to all FDIC-insured state-nonmember banks. Institutions will be required to report annually to the bank’s board of directors concerning the bank’s information security program. Institutions will need to develop a training program that is designed to implement the institution’s information security policies and procedures. An institution’s information security system will be tested to ensure the controls and procedures of the program work properly. However, the final Guidelines do not specify what particular tests the bank should undertake. The final Guidelines state that the tests are to be conducted or reviewed by persons w h o are independent of those w h o operate the systems. Institutions will have to exercise d u e diligence in the selection of service providers to ensure that the bank’s customer information will be protected consistent with these Guidelines. And institutions will have to monitor these service provider arrangements to confirm that the institution’s customer information is protected, which may be accomplished by reviewing service provider audits Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations 8631 and summaries of test results. Also, B. Objectives of and Legal Basis for outside service providers may require Final Action institutions will need to adjust their legal skills to draft appropriate language for contracts with service providers. security program as technology changes. The objectives of the Guidelines are described in the Supplementary The types of professional skills within E. Public Comment and Significant Information section above. The legal the institution necessary to prepare the Alternatives bases for the final action are: section 501 report to the board would include an OTS did not receive any public of the G-L-B Act; section 39 of the FDI understanding of the institution’s comment on its initial regulatory Act; and sections 2, 4, and 5 of the information security program, a level of flexibility analysis, although it did Home Owners’ Loan Act (12 U.S.C. technical knowledge of the hardware receive comments on the proposal in 1462, 1463, and 1464). and software systems to evaluate test general, and on the Guidelines’ impact results recommending substantial C. Description of Entities To Which on small entities in particular. OTS modifications; and the ability to Final Action Will Apply addresses these below. evaluate and report on the institution’s OTS has considered publishing These Guidelines will apply to all steps to oversee service provider standards using only the broad language savings associations whose deposits are arrangements. in section 501(b) of the G–L-B Act, as FDIC insured, and subsidiaries of such supported by one commenter. The OTS: The Regulatory Flexibility Act savings associations, except subsidiaries Agencies rejected this alternative in (RFA),[SeeFootnote15]requires OTS to preparethat a final are brokers, dealers, persons favor of more comprehensive regulatory flexibility analysis with these providing insurance, investment 16] Guidelines. Using only the general final Guidelines unless the agency companies, and investment advisers.[SeeFootnote statutory language would permit certifies that the rule will not have a D. Projected Reporting, Recordkeeping, institutions maximum flexibility in significant economic impact on a and Other Compliance Requirements; implementing information security substantial number of small entities. Skills Required protections and would not put OTS has evaluated the effects these institutions at a competitive Guidelines will have on small entities. The Guidelines d o not require any In issuing proposed Guidelines, OTS reports to OTS. As discussed more fully disadvantage with respect to institutions not subject to the same security specifically sought comment on the above, they d o require institutions to standards. However, using the statutory costs of establishing and operating have a written information security language alone would not provide information security programs, but n o program, and to make an appropriate enough guidance to institutions about commenters provided specific cost report to the board of directors, or a what risks need to be addressed or what information. Institutions cannot yet board committee, at least annually. The types of protections are appropriate. know how they will implement their Guidelines require institutions to Small institutions in particular may information security programs and establish an information security need guidance in this area. One trade therefore have difficulty quantifying the program, if they d o not already have associated costs. The Director of OTS one. The Guidelines require institutions association that represents community banks commented that institutions need considered certifying, under section to assess the risks to their customer guidance to determine what level of 605(b) of the RFA, that these guidelines security and to adopt appropriate information security the Agencies will will not have a significant economic measures to control those risks. look for, and that community banks in impact on a substantial number of small Institutions must also test the key particular need guidance in this area. entities. However, because OTS cannot controls, commensurate with the risks. OTS believes that the alternative it quantify the impact the Guidelines will Institutions must use appropriate due chose, more comprehensive standards, have on small entities, and in the diligence in selecting outside service interests of thoroughness, OTS does not providers, and require service providers, provides helpful guidance without sacrificing flexibility. certify that the Guidelines will not have by contract, to implement appropriate OTS has also considered the a significant economic impact on a security measures. Finally, where alternative of defining ‘‘service substantial number of small entities. appropriate, the Guidelines require provider’’ more narrowly than in the Instead, OTS has prepared the following institutions to monitor their service proposed Guidelines to reduce final regulatory flexibility analysis. providers. regulatory burden. The Guidelines Professional skills, such as skills of require a financial institution to take A. Reasons for Final Action computer hardware and software, will appropriate steps to protect customer be necessary to assess information OTS issues these Guidelines pursuant security needs, and to design and information provided to a service to section 501 of the G-L-B Act. As provider. Due to limited resources, implement an information security described in this preamble and in the small institutions may need to program. The particular skills needed notice of proposed action, section 501 will be commensurate with the nature of outsource a disproportionately larger requires OTS to publish standards for each institution’s system, i.e. more skills number of functions than large the thrift industry relating to institutions outsource, and accordingly will be needed in institutions with administrative, technical, and physical have a greater need for service sophisticated and extensive safeguards to: (1) Insure the security and computerization. As a result, small providers. Thus, the burdens associated confidentiality of customer records and with service providers may fall more entities with less extensive information; (2) protect against any heavily on small institutions than on computerization are likely to have less anticipated threats or hazards to the large institutions. But the risks to burdensome compliance needs than security or integrity of such records, and large entities. Institutions that use information security do not necessarily (3) protect against unauthorized access vary depending on a service provider’s to or use of such records or information Rather, they vary depending on Footnote16--For purposes of the Regulatory Flexibility identity. Act, which could result in the substantial the type and volume of information to a small savings association is one with less than harm or inconvenience to any customer. $100 million in assets. 1 3 CFR 121.201 (Division H). which a service provider has access, the There are approximately 487 such small savings safeguards it has in place, and what the associations, approximately 97 of which have service provider does with the Footnote15--U.S.C. 604(a).[EndofFootnote15] subsidiaries.[EndofFootnote16] 8632 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations information. Basing the requirements as to service providers on a service provider’s identity would not necessarily focus protections on areas of risk. For this reason, the final Guidelines focus the protections regarding service providers on the risks involved rather than on the service provider’s identity. This approach should provide the necessary protections without unnecessary burden on small institutions. OTS reviewed the alternative of requiring an institution’s board of directors to designate a Corporate Information Security Officer w h o would have authority, with approval by the board, to develop and administer the institution’s information security program. However, ultimately, the agencies rejected the idea of having financial institutions create a new position to fulfill this purpose. Instead, the Guidelines allow financial institutions the flexibility to determine w h o should be assigned specific roles in implementing the institution’s security program. As a result, small institutions will be relieved of a potential burden. The final Guidelines incorporate new provisions not in the proposed Guidelines designed to add flexibility to assist all institutions, large and small. For example, the final Guidelines, unlike the proposal, d o not specify particular tasks for management. Instead, the final Guidelines allow each institution the flexibility to decide for itself the most efficient allocation of its personnel. Similarly, the final Guidelines allow institutions to delegate board duties to board committees. Additionally, in the final guidelines the Agencies removed the requirement that information security programs ‘‘shall * * * ensure’’ the security and confidentiality of customer information. Instead, the guidelines say the program ‘‘shall be designed to * * * ensure’’ the security and confidentiality of customer information. The final Guidelines further incorporate more flexibility than the proposal concerning testing systems. The proposal required third parties of staff independent of those w h o maintain the program to test it, and required third parties or staff independent of the testers to review test results. To add flexibility, the final Guidelines more simply require staff or third parties independent of those w h o develop or maintain the programs to conduct or review the tests. These changes should serve to reduce the burden of the Guidelines. C. Executive Order 12866 The Comptroller of the Currency and the Office of Thrift Supervision have determined that this rule does not constitute a ‘‘significant regulatory action’’ for the purposes of Executive Order 12866. The OCC and OTS are issuing the Guidelines in accordance with the requirements of Sections 501 and 505(b) of the G-L-B Act and not under their own authority. Even absent the requirements of the G–L-B Act, if the OCC and OTS had issued the rule under their own authority, the rule would not constitute a ‘‘significant regulatory action’’ for purposes of Executive Order 12866. The standards established by the Guidelines are very flexible and allow each institution the discretion to have an information security program that suits its particular size , complexity and the nature and scope of its activities. Further, the standards reflect good business practices and guidance previously issued by the OCC, OTS, and the FFIEC. Accordingly, most if not all institutions already have information security programs in place that are consistent with the Guidelines. In such cases, little or no modification to an institution’s program will be required. List of Subjects D. Unfunded Mandates Act of 1995 Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1532 (Unfunded Mandates Act), requires that an agency prepare a budgetary impact statement before promulgating any rule likely to result in a federal mandate that may result in the expenditure by state, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. If a budgetary impact statement is required, section 205 of the Unfunded Mandates Act also requires the agency to identify and consider a reasonable number of regulatory alternatives before promulgating the rule. However, an agency is not required to assess the effects of its regulatory actions on the private sector to the extent that such regulations incorporate requirements specifically set forth in law. 2 U.S.C. 1531. The OCC and OTS believe that most institutions already have established an information security program because it is a sound business practice that also has been addressed in existing supervisory guidance. Therefore, the OCC and OTS have determined that the Guidelines will not result in expenditures by state, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. Accordingly, the OCC and OTS have not prepared a budgetary impact statement or specifically addressed the regulatory alternatives considered. Administrative practice and procedure, Claims, Crime, Equal access in justice, Federal Reserve System, Lawyers, Penalties. 12 CFR Part 30 Banks, banking, Consumer protection, National banks, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 208 Banks, banking, Consumer protection, Federal Reserve System, Foreign banking, Holding companies, Information, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 211 Exports, Federal Reserve System, Foreign banking, Holding companies, Investments, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 225 Administrative practice and procedure, Banks, banking, Federal Reserve System, Holding companies, Privacy, Reporting and recordkeeping requirements, Securities. 12 CFR Part 263 12 CFR Part 308 Administrative practice and procedure, Banks, banking, Claims, Crime, Equal access of justice, Lawyers, Penalties, State nonmember banks. 12 CFR Part 364 Administrative practice and procedure, Bank deposit insurance, Banks, banking, Reporting and recordkeeping requirements, Safety and soundness. 12 CFR Part 568 Reporting and recordkeeping requirements, Savings associations, Security measures. Consumer protection, Privacy, Savings associations. 12 CFR Part 570 Consumer protection, Privacy, Savings associations. Office of the Comptroller of the Currency 12 CFR Chapter I Authority and Issuance For the reasons set forth in the joint preamble, part 30 of the chapter I of title 12 of the Code of Federal Regulations is amended as follows: 2 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations A. Scope B. Preservation of Existing Authority C. Definitions 1. The authority citation for part 30 is II. Standards for Safeguarding Customer revised to read as follows: Information A. Information Security Program Authority: 12 U.S.C. 93a, 1818, 1831–p, B. Objectives 3102(b); 15 U.S.C. 6801, 6805(b)(1). III. Development and Implementation of 2. Revise § 30.1 to read as follows: Customer Information Security Program A. Involve the Board of Directors § 30.1 Scope. B. Assess Risk (a) The rules set forth in this part and C. Manage and Control Risk the standards set forth in appendices A D. Oversee Service Provider Arrangements and B to this part apply to national E. Adjust the Program banks and federal branches of foreign F. Report to the Board banks, that are subject to the provisions G. Implement the Standards of section 39 of the Federal Deposit I. Introduction Insurance Act (section 39)(12 U.S.C. The Interagency Guidelines Establishing 1831p–1). Standards for Safeguarding Customer (b) The standards set forth in Information (Guidelines) set forth standards appendix B to this part also apply to pursuant to section 39 of the Federal Deposit uninsured national banks, federal Insurance Act (section 39, codified at 12 branches and federal agencies of foreign U.S.C. 1831p–1), and sections 501 and banks, and the subsidiaries of any 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. national bank, federal branch or federal agency of a foreign bank (except brokers, These Guidelines address standards for developing and implementing dealers, persons providing insurance, administrative, technical, and physical investment companies and investment safeguards to protect the security, advisers). Violation of these standards confidentiality, and integrity of customer may be an unsafe and unsound practice information. within the meaning of 12 U.S.C. 1818. A. Scope. The Guidelines apply to 3 . In § 30.2, revise the last sentence to customer information maintained by or on behalf of entities over which the OCC has read as follows: authority. Such entities, referred to as ‘‘the bank,’’ are national banks, federal branches § 30.2 Purpose. and federal agencies of foreign banks, and * * * The Interagency Guidelines any subsidiaries of such entities (except Establishing Standards for Safety and brokers, dealers, persons providing Soundness are set forth in appendix A insurance, investment companies, and to this part, and the Interagency investment advisers). Guidelines Establishing Standards for B. Preservation of Existing Authority. Safeguarding Customer Information are Neither section 39 nor these Guidelines in set forth in appendix B to this part. any way limit the authority of the OCC to address unsafe or unsound practices, 4. In § 30.3, revise paragraph (a) to violations of law, unsafe or unsound read as follows: conditions, or other practices. The OCC may take action under section 39 and these § 30.3 Determination and notification of Guidelines independently of, in conjunction failure to meet safety and soundness with, or in addition to, any other standard and request for compliance plan. enforcement action available to the OCC. (a) Determination. The OCC may, C. Definitions. 1. Except as modified in the based upon an examination, inspection, Guidelines, or unless the context otherwise or any other information that becomes requires, the terms used in these Guidelines available to the OCC, determine that a have the same meanings as set forth in bank has failed to satisfy the safety and sections 3 and 39 of the Federal Deposit soundness standards contained in the Insurance Act (12 U.S.C. 1813 and 1831p–1). Interagency Guidelines Establishing 2. For purposes of the Guidelines, the following definitions apply: Standards for Safety and Soundness set a. Board of directors, in the case of a forth in appendix A to this part, and the branch or agency of a foreign bank, means the Interagency Guidelines Establishing managing official in charge of the branch or Standards for Safeguarding Customer agency. Information set forth in appendix B to b. Customer means any customer of the this part. bank as defined in § 40.3(h) of this chapter. c. Customer information means any record * * * * * containing nonpublic personal information, 5. Revise appendix B to part 30 to as defined in § 40.3(n) of this chapter, about read as follows: a customer, whether in paper, electronic, or Appendix B to Part 30—Interagency other form, that is maintained by or on behalf of the bank. Guidelines Establishing Standards For d. Customer information systems means Safeguarding Customer Information any methods used to access, collect, store, Table of Contents use, transmit, protect, or dispose of customer information. I. Introduction PART 30—SAFETY AND SOUNDNESS STANDARDS 8633 e. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the bank. II. Standards for Safeguarding Customer Information A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank’s information security program shall be designed to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; and 3 . Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. III. Development and Implementation of Information Security Program A. Involve the Board of Directors. The board of directors or an appropriate committee of the board of each bank shall: 1. Approve the bank’s written information security program; and 2. Oversee the development, implementation, and maintenance of the bank’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management. B. Assess Risk. Each bank shall: 1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. 2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information. 3 . Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. C. Manage and Control Risk. Each bank shall: 1. Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank’s activities. Each bank must consider whether the following security measures are appropriate for the bank and, if so, adopt those measures the bank concludes are appropriate: a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means. 8634 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations b . Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals; c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; d. Procedures designed to ensure that customer information system modifications are consistent with the bank’s information security program; e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information; f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems; g. Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and h. Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. 2. Train staff to implement the bank’s information security program. 3 . Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank’s risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs. D. Oversee Service Provider Arrangements. Each bank shall: 1. Exercise appropriate due diligence in selecting its service providers; 2. Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and 3 . Where indicated by the bank’s risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by section D.2. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers. E. Adjust the Program. Each bank shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the bank’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. F. Report to the Board. Each bank shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank’s compliance with these Guidelines. The reports should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program. G. Implement the Standards. 1. Effective date. Each bank must implement an information security program pursuant to these Guidelines by July 1, 2001. 2. Two-year grandfathering of agreements with service providers. Until July 1, 2003, a contract that a bank has entered into with a service provider to perform services for it or functions on its behalf satisfies the provisions of section III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information, as long as the bank entered into the contract on or before March 5, 2001. S t a n d a r d s for S a f e g u a r d i n g C u s t o m e r Information prescribed pursuant to s e c t i o n s 5 0 1 a n d 5 0 5 of t h e G r a m m Leach-Bliley Act (15 U.S.C. 6 8 0 1 a n d 6805), set forth i n a p p e n d i x D–2 t o this part. * * * * * 3 . Revise a p p e n d i x D–2 to read as follows: A p p e n d i x D–2 T o Part 2 0 8 — Interagency G u i d e l i n e s Establishing S t a n d a r d s For Safeguarding Customer Information Table of Contents I. Introduction A. Scope B. Preservation of Existing Authority C. Definitions II. Standards for Safeguarding Customer 6. A p p e n d i x C to p a r t 30 is r e m o v e d . Information Dated: December 21, 2000. A. Information Security Program John D. Hawke, Jr., B. Objectives Comptroller of the Currency. III. Development and Implementation of Customer Information Security Program Federal Reserve S y s t e m A. Involve the Board of Directors 12 CFR Chapter II B. Assess Risk Authority a n d I s s u a n c e C. Manage and Control Risk D. Oversee Service Provider Arrangements For t h e r e a s o n s set forth in t h e joint p r e a m b l e , p a r t s 208, 2 1 1 , 2 2 5 , a n d 263 E. Adjust the Program of c h a p t e r II of title 12 of t h e C o d e of F. Report to the Board F e d e r a l R e g u l a t i o n s are a m e n d e d as G. Implement the Standards follows: I. I n t r o d u c t i o n These Interagency Guidelines PART 208—MEMBERSHIP OF STATE E s t a b l i s h i n g S t a n d a r d s for S a f e g u a r d i n g BANKING INSTITUTIONS IN THE Customer Information (Guidelines) set FEDERAL RESERVE SYSTEM forth s t a n d a r d s p u r s u a n t t o s e c t i o n s 5 0 1 (REGULATION H) a n d 5 0 5 of t h e G r a m m - L e a c h - B l i l e y A c t (15 U.S.C. 6 8 0 1 a n d 6805), in the s a m e 1. T h e a u t h o r i t y c i t a t i o n for 12 CFR manner, to the extent practicable, as p a r t 208 is r e v i s e d to r e a d as follows: standards prescribed pursuant to section Authority: 12 U.S.C. 24, 36, 92a, 93a, 3 9 of t h e F e d e r a l D e p o s i t I n s u r a n c e A c t 248(a), 248(c), 321-338a, 371d, 461, 481–486, (12 U.S.C. 1831p–1). These Guidelines 601, 611, 1814, 1816, 1818, 1820(d)(9), a d d r e s s s t a n d a r d s for d e v e l o p i n g a n d 1823(j), 1828(o), 1831, 1831o, 1831p–1, implementing administrative, technical, 1831r–1, 1835a, 1882, 2901-2907, 3105, a n d physical safeguards to protect the 3310, 3331-3351, and 3906-3909; 15 U.S.C. 78b, 78l(b), 78l(g), 78l(i), 78o-4(c)(5), 78q, s e c u r i t y , c o n f i d e n t i a l i t y , a n d i n t e g r i t y of 78q–1, 78w, 6801, and 6805; 31 U.S.C. 5318; customer information. 42 U.S.C. 4012a, 4104a, 4104b, 4106, and A . Scope. T h e G u i d e l i n e s a p p l y t o 4128. customer information maintained by or 2. A m e n d § 208.3 to r e v i s e p a r a g r a p h o n behalf of s t a t e m e m b e r b a n k s ( b a n k s ) (d)(1) to r e a d as follows: and their nonbank subsidiaries, except for b r o k e r s , d e a l e r s , p e r s o n s p r o v i d i n g §208.3 Application and conditions for membership in the Federal Reserve System. i n s u r a n c e , i n v e s t m e n t c o m p a n i e s , a n d investment advisors. Pursuant to * * * * * § § 2 1 1 . 9 a n d 2 1 1 . 2 4 of t h i s c h a p t e r , (d) Conditions of membership. (1) these guidelines also apply to customer Safety and soundness. Each member i n f o r m a t i o n m a i n t a i n e d b y o r o n behalf b a n k shall at all t i m e s c o n d u c t its of E d g e c o r p o r a t i o n s , a g r e e m e n t b u s i n e s s a n d e x e r c i s e its p o w e r s w i t h corporations, a n d u n i n s u r e d stated u e r e g a r d to safety a n d s o u n d n e s s . l i c e n s e d b r a n c h e s o r a g e n c i e s of a Each m e m b e r bank shall comply with foreign b a n k . the Interagency Guidelines Establishing B . Preservation of Existing Authority. S t a n d a r d s for Safety a n d S o u n d n e s s Neither section 39 nor these Guidelines p r e s c r i b e d p u r s u a n t to s e c t i o n 39 of t h e i n a n y w a y l i m i t t h e a u t h o r i t y of t h e FDI A c t (12 U.S.C. 1 8 3 1 p – 1 ) , set forth i n Board to a d d r e s s unsafe or u n s o u n d a p p e n d i x D – 1 to t h i s p a r t , a n d t h e p r a c t i c e s , v i o l a t i o n s of l a w , u n s a f e o r Interagency Guidelines Establishing u n s o u n d conditions, or other practices. The Board may take action under Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations section 39 and these Guidelines independently of, in conjunction with, or in addition to, any other enforcement action available to the Board. C. Definitions. 1. Except as modified in the Guidelines, or unless the context otherwise requires, the terms used in these Guidelines have the same meanings as set forth in sections 3 and 39 of the Federal Deposit Insurance Act (12 U.S.C. 1813 and 1831p–1). 2. For purposes of the Guidelines, the following definitions apply: a. Board of directors, in the case of a branch or agency of a foreign bank, means the managing official in charge of the branch or agency. b. Customer means any customer of the bank as defined in § 216.3(h) of this chapter. c. Customer information means any record containing nonpublic personal information, as defined in § 216.3(n) of this chapter, about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the bank. d. Customer information systems means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information. e. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the bank. f. Subsidiary means any company controlled by a bank, except a broker, dealer, person providing insurance, investment company, investment advisor, insured depository institution, or subsidiary of an insured depository institution. II. Standards for Safeguarding Customer Information A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. A bank also shall ensure that each of its subsidiaries is subject to a comprehensive information security program. The bank may fulfill this requirement either by including a subsidiary within the scope of the bank’s comprehensive information security program or by causing the subsidiary to implement a separate comprehensive information security program in accordance with the standards and procedures in sections II and III of this appendix that apply to banks. B. Objectives. A bank’s information security program shall be designed to: 1. Ensure the security and confidentiality of customer information; 2 . Protect against any anticipated threats or hazards to the security or integrity of such information; and 3 . Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. 8635 information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals; c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; d. Procedures designed to ensure that customer information system modifications are consistent with the bank’s information security program; e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer III. Development and Implementation information; of Information Security Program f. Monitoring systems and procedures A. Involve the Board of Directors. The to detect actual and attempted attacks board of directors or an appropriate on or intrusions into customer committee of the board of each bank information systems; shall: g. Response programs that specify 1. Approve the bank’s written actions to be taken when the bank information security program; and suspects or detects that unauthorized 2 . Oversee the development, individuals have gained access to implementation, and maintenance of the customer information systems, bank’s information security program, including appropriate reports to including assigning specific regulatory and law enforcement responsibility for its implementation agencies; and and reviewing reports from h. Measures to protect against management. destruction, loss, or damage of customer B. Assess Risk. Each bank shall: information due to potential 1. Identify reasonably foreseeable environmental hazards, such as fire and internal and external threats that could water damage or technological failures. result in unauthorized disclosure, 2. Train staff to implement the bank’s misuse, alteration, or destruction of information security program. customer information or customer 3 . Regularly test the key controls, information systems. systems and procedures of the 2 . Assess the likelihood and potential information security program. The damage of these threats, taking into frequency and nature of such tests consideration the sensitivity of should be determined by the bank’s risk customer information. assessment. Tests should be conducted 3 . Assess the sufficiency of policies, or reviewed by independent third procedures, customer information parties or staff independent of those that systems, and other arrangements in develop or maintain the security place to control risks. programs. C. Manage and Control Risk. Each D. Oversee Service Provider bank shall: Arrangements. Each bank shall: 1. Design its information security 1. Exercise appropriate due diligence program to control the identified risks, in selecting its service providers; commensurate with the sensitivity of 2. Require its service providers by the information as well as the contract to implement appropriate complexity and scope of the bank’s measures designed to meet the activities. Each bank must consider objectives of these Guidelines; and whether the following security measures 3 . Where indicated by the bank’s risk are appropriate for the bank and, if so, assessment, monitor its service adopt those measures the bank providers to confirm that they have concludes are appropriate: satisfied their obligations as required by a. Access controls on customer paragraph D.2. As part of this information systems, including controls monitoring, a bank should review to authenticate and permit access only audits, summaries of test results, or to authorized individuals and controls other equivalent evaluations of its to prevent employees from providing service providers. customer information to unauthorized E. Adjust the Program. Each bank individuals w h o may seek to obtain this shall monitor, evaluate, and adjust, as information through fraudulent means. appropriate, the information security program in light of any relevant changes b . Access restrictions at physical in technology, the sensitivity of its locations containing customer 2 8636 Federal R e g i s t e r / V o l . 6 6 , N o . 2 2 / T h u r s d a y , F e b r u a r y 1 , 2 0 0 1 / R u l e s a n d R e g u l a t i o n s customer information, internal or external threats to information, and the bank’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. F. Report to the Board. Each bank shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank’s compliance with these Guidelines. The reports should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program. G. Implement the Standards. 1. Effective date. Each bank must implement an information security program pursuant to these Guidelines by July 1, 2001. 2. Two-year grandfathering of agreements with service providers. Until July 1, 2003, a contract that a bank has entered into with a service provider to perform services for it or functions on its behalf satisfies the provisions of section III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information, as long as the bank entered into the contract on or before March 5, 2001. PART 211—INTERNATIONAL BANKING OPERATIONS (REGULATION K) 4. The authority citation for part 211 is revised to read as follows: Authority: 12 U.S.C. 221 et seq., 1818, 1835a, 1841 et seq., 3101 et seq., and 3901 et seq.; 15 U.S.C. 6801 and 6805. 5. Add new § 211.9 to read as follows: § 211.9 Protection of customer information. An Edge or agreement corporation shall comply with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information prescribed pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805), set forth in appendix D-2 to part 208 of this chapter. 6. In § 211.24, add new paragraph (i) to read as follows: §211.24 Approval of offices of foreign banks; procedures for applications; standards for approval; representativeoffice activities and standards for approval; preservation of existing authority; reports of crimes and suspected crimes; government securities sales practices. * * * * * (i) Protection of customer information. An uninsured state-licensed branch or agency of a foreign bank shall comply with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information prescribed pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805), set forth in appendix D–2 to part 208 of this chapter. PART 225—BANK HOLDING COMPANIES AND CHANGE IN BANK CONTROL (REGULATION Y) 7. The authority citation for part 225 is revised to read as follows: Authority: 12 U.S.C. 1817(j)(13), 1818, 1828(o), 1831i, 1831p–1, 1843(c)(8), 1844(b), 1972(1), 3106, 3108, 3310, 3331–3351, 3907, and 3909; 15 U.S.C. 6801 and 6805. 8. In § 225.1, add new paragraph (c)(16) to read as follows: §225.1 Authority, purpose, and scope. * * * * * (c) * * * (16) Appendix F contains the Interagency Guidelines Establishing Standards for Safeguarding Customer Information. 9. In § 225.4, add new paragraph (h) to read as follows: §225.4 Corporate practices. * * * * * (h) Protection of nonpublic personal information. A bank holding company, including a bank holding company that is a financial holding company, shall comply with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information, as set forth in appendix F of this part, prescribed pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805). 10. Add new appendix F to read as follows: Appendix F To Part 225—Interagency Guidelines Establishing Standards For Safeguarding Customer Information Table of Contents I. Introduction A. Scope B. Preservation of Existing Authority C. Definitions II. Standards for Safeguarding Customer Information A. Information Security Program B. Objectives III. Development and Implementation of Customer Information Security Program A. Involve the Board of Directors B. Assess Risk C. Manage and Control Risk D. Oversee Service Provider Arrangements E. Adjust the Program F. Report to the Board G. Implement the Standards I. Introduction These Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Guidelines) set forth standards pursuant to sections 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805) . These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. A. Scope. The Guidelines apply to customer information maintained by or on behalf of bank holding companies and their nonbank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies, and investment advisors), for which the Board has supervisory authority. B. Preservation of Existing Authority. These Guidelines d o not in any way limit the authority of the Board to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. The Board may take action under these Guidelines independently of, in conjunction with, or in addition to, any other enforcement action available to the Board. C. Definitions. 1. Except as modified in the Guidelines, or unless the context otherwise requires, the terms used in these Guidelines have the same meanings as set forth in sections 3 and 39 of the Federal Deposit Insurance Act (12 U.S.C. 1813 and 1831p–1). 2. For purposes of the Guidelines, the following definitions apply: a. Board of directors, in the case of a branch or agency of a foreign bank, means the managing official in charge of the branch or agency. b . Customer means any customer of the bank holding company as defined in § 216.3(h) of this chapter. c. Customer information means any record containing nonpublic personal information, as defined in § 216.3(n) of this chapter, about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the bank holding company. d. Customer information systems means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information. e. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the bank holding company. f. Subsidiary means any company controlled by a bank holding company, except a broker, dealer, person providing insurance, investment company, investment advisor, insured depository institution, or subsidiary of an insured depository institution. Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations II. Standards for Safeguarding Customer Information A. Information Security Program. Each bank holding company shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank holding company and the nature and scope of its activities. While all parts of the bank holding company are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. A bank holding company also shall ensure that each of its subsidiaries is subject to a comprehensive information security program. The bank holding company may fulfill this requirement either by including a subsidiary within the scope of the bank holding company’s comprehensive information security program or by causing the subsidiary to implement a separate comprehensive information security program in accordance with the standards and procedures in sections II and III of this appendix that apply to bank holding companies. B. Objectives. A bank holding company’s information security program shall be designed to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; and 3 . Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. III. Development and Implementation of Information Security Program A. Involve the Board of Directors. The board of directors or an appropriate committee of the board of each bank holding company shall: 1. Approve the bank holding company’s written information security program; and 2. Oversee the development, implementation, and maintenance of the bank holding company’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management. B. Assess Risk. Each bank holding company shall: 1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. 2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information. 3 . Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. C. Manage and Control Risk. Each bank holding company shall: 1. Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank holding company’s activities. Each bank holding company must consider whether the following security measures are appropriate for the bank holding company and, if so, adopt those measures the bank holding company concludes are appropriate: a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals w h o may seek to obtain this information through fraudulent means. b . Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals; c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; d. Procedures designed to ensure that customer information system modifications are consistent with the bank holding company’s information security program; e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information; f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems; g. Response programs that specify actions to be taken when the bank holding company suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and h . Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. 2. Train staff to implement the bank holding company’s information security program. 3 . Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank holding company’s risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs. D. Oversee Service Provider Arrangements. Each bank holding company shall: 1. Exercise appropriate d u e diligence in selecting its service providers; 2. Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and 3 . Where indicated by the bank holding company’s risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a bank holding company should review audits, summaries of test results, or other equivalent evaluations of its service providers. E. Adjust the Program. Each bank holding company shall monitor, evaluate, and adjust, 8637 as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the bank holding company’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. F. Report to the Board. Each bank holding company shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank holding company’s compliance with these Guidelines. The reports should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program. G. Implement the Standards. 1. Effective date. Each bank holding company must implement an information security program pursuant to these Guidelines by July 1, 2001. 2. Two-year grandfathering of agreements with service providers. Until July 1, 2003, a contract that a bank holding company has entered into with a service provider to perform services for it or functions on its behalf satisfies the provisions of section III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information, as long as the bank holding company entered into the contract on or before March 5, 2001. PART 263—RULES OF PRACTICE FOR HEARINGS 1 1 . T h e a u t h o r i t y c i t a t i o n for p a r t 263 is r e v i s e d to r e a d as follows: Authority: 5 U.S.C. 504; 12 U.S.C. 248, 324, 504, 505, 1817(j), 1818, 1828(c), 1831o, 1831p–1, 1847(b), 1847(d), 1884(b), 1972(2)(F), 3105, 3107, 3108, 3907, 3909; 15 U.S.C. 21, 78o-4, 78o-5, 78u-2, 6801, 6805; and 28 U.S.C. 2461 note. 12. A m e n d § 263.302 to r e v i s e p a r a g r a p h (a) to r e a d as follows: § 263.302 Determination and notification of failure to meet safety and soundness standard and request for compliance plan. (a) Determination. The Board may, b a s e d u p o n an e x a m i n a t i o n , i n s p e c t i o n , or a n y o t h e r i n f o r m a t i o n t h a t b e c o m e s a v a i l a b l e to t h e B o a r d , d e t e r m i n e t h a t a b a n k h a s failed to satisfy t h e safety a n d s o u n d n e s s s t a n d a r d s c o n t a i n e d in t h e Interagency Guidelines Establishing S t a n d a r d s for Safety a n d S o u n d n e s s or the Interagency Guidelines Establishing S t a n d a r d s for S a f e g u a r d i n g C u s t o m e r I n f o r m a t i o n , set forth i n a p p e n d i c e s D – 1 a n d D - 2 to p a r t 208 of t h i s c h a p t e r , respectively. * * * * * 8638 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations By order of the Board of Governors of the Federal Reserve System, January 4, 2001. Jennifer J. Johnson, Secretary of the Board. Federal Deposit Insurance Corporation 12 CFR Chapter III Authority and Issuance For the reasons set forth in the joint preamble, parts 308 and 364 of chapter III of title 12 of the Code of Federal Regulations are amended as follows: PART 308—RULES OF PRACTICE AND PROCEDURE 1. The authority citation for part 308 is revised to read as follows: Authority: 5 U.S.C. 504, 554–557; 12 U.S.C. 93(b), 164, 505, 1815(e), 1817, 1818, 1820, 1828, 1829, 1829b, 1831i, 1831o, 1831p–1, 1832(c), 1884(b), 1972, 3102, 3108(a), 3349, 3909, 4717; 15 U.S.C. 78(h) and (i), 78o–4(c), 78o–5, 78q–1, 78s, 78u, 78u–2, 78u–3 and 78w; 6801(b), 6805(b)(1), 28 U.S.C. 2461 note; 3 1 U.S.C. 330, 5321; 42 U.S.C. 4012a; Sec. 3100(s), Pub. L. 104–134, 110 Stat. 1321–358. 1. Amend §308.302 to revise paragraph (a) to read as follows: § 308.302 Determination and notification of failure to meet a safety and soundness standard and request for compliance plan. (a) Determination. The FDIC may, based upon an examination, inspection or any other information that becomes available to the FDIC, determine that a bank has failed to satisfy the safety and soundness standards set out in part 364 of this chapter and in the Interagency Guidelines Establishing Standards for Safety and Soundness in appendix A and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information in appendix B to part 364 of this chapter. * * * * * PART 364—STANDARDS FOR SAFETY AND SOUNDNESS 2. The authority citation for part 364 is revised to read as follows: Authority: 12 U.S.C. 1819(Tenth), 1831p– 1; 15 U.S.C. 6801(b), 6805(b)(1). 3 . Amend §364.101 to revise paragraph (b) to read as follows: § 364.101 Standards for safety and soundness. * * * * * (b) Interagency Guidelines Establishing Standards for Safeguarding Customer Information. The Interagency Guidelines Establishing Standards for Safeguarding Customer Information prescribed pursuant to section 39 of the Federal Deposit Insurance Act (12 U.S.C. 1831p–1) and sections 501 and 505(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801, 6805(b)), as set forth in appendix B to this part, apply to all insured state nonmember banks, insured state licensed branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers). 4. Revise appendix B to part 364 to read as follows: Appendix B to Part 364—Interagency Guidelines Establishing Standards for Safeguarding Customer Information Table of Contents I. Introduction A. Scope B. Preservation of Existing Authority C. Definitions II. Standards for Safeguarding Customer Information A. Information Security Program B. Objectives III. Development and Implementation of Customer Information Security Program A. Involve the Board of Directors B. Assess Risk C. Manage and Control Risk D. Oversee Service Provider Arrangements E. Adjust the Program F. Report to the Board G. Implement the Standards I. Introduction The Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Guidelines) set forth standards pursuant to section 39 of the Federal Deposit Insurance Act (section 39, codified at 12 U.S.C. 1831p–1), and sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. A. Scope. The Guidelines apply to customer information maintained by or on behalf of entities over which the Federal Deposit Insurance Corporation (FDIC) has authority. Such entities, referred to as ‘‘the bank’’ are banks insured by the FDIC (other than members of the Federal Reserve System), insured state branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers). B. Preservation of Existing Authority. Neither section 39 nor these Guidelines in any way limit the authority of the FDIC to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. The FDIC may take action under section 39 and these Guidelines independently of, in conjunction with, or in addition to, any other enforcement action available to the FDIC. C. Definitions. 1. Except as modified in the Guidelines, or unless the context otherwise requires, the terms used in these Guidelines have the same meanings as set forth in sections 3 and 39 of the Federal Deposit Insurance Act (12 U.S.C. 1813 and 1831p–1). 2. For purposes of the Guidelines, the following definitions apply: a. Board of directors, in the case of a branch or agency of a foreign bank, means the managing official in charge of the branch or agency. b. Customer means any customer of the bank as defined in § 332.3(h) of this chapter. c. Customer information means any record containing nonpublic personal information, as defined in § 332.3(n) of this chapter, about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the bank. d. Customer information systems means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information. e. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the bank. II. Standards for Safeguarding Customer Information A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank’s information security program shall be designed to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; and 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. III. Development and Implementation of Information Security Program A. Involve the Board of Directors. The board of directors or an appropriate committee of the board of each bank shall: 1. Approve the bank’s written information security program; and 2. Oversee the development, implementation, and maintenance of the bank’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management. B. Assess Risk. Each bank shall: 1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. 2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information. Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations 3 . Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. C. Manage and Control Risk. Each bank shall: 1. Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank’s activities. Each bank must consider whether the following security measures are appropriate for the bank and, if so, adopt those measures the bank concludes are appropriate: a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means. b . Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals; c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; d. Procedures designed to ensure that customer information system modifications are consistent with the bank’s information security program; e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information; f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems; g. Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and h. Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures. 2. Train staff to implement the bank’s information security program. 3 . Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank’s risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs. D. Oversee Service Provider Arrangements. Each bank shall: 1. Exercise appropriate due diligence in selecting its service providers; 2. Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and 3 . Where indicated by the bank’s risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers. E. Adjust the Program. Each bank shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the bank’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. F. Report to the Board. Each bank shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank’s compliance with these Guidelines. The report, which will vary depending upon the complexity of each bank’s program should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations, and management’s responses; and recommendations for changes in the information security program. G. Implement the Standards. 1. Effective date. Each bank must implement an information security program pursuant to these Guidelines by July 1, 2001. 2. Two-year grandfathering of agreements with service providers. Until July 1, 2003, a contract that a bank has entered into with a service provider to perform services for it or functions on its behalf, satisfies the provisions of paragraph III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information as long as the bank entered into the contract on or before March 5, 2001. By order of the Board of Directors. Dated at Washington, D.C., this 21st day of December, 2000. Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary. Office of Thrift Supervision 12 CFR Chapter V Authority and Issuance For the reasons set forth in the joint preamble, parts 568 and 570 of chapter V of title 12 of the Code of Federal regulations are amended as follows: PART 568—SECURITY PROCEDURES 1. The authority citation of part 568 is revised to read as follows: Authority: Secs. 2-5, 82 Stat. 294-295 (12 U.S.C. 1881-1984); 12 U.S.C. 1831p-1; 15 U.S.C. 6801, 6805(b)(1). 2. Amend § 568.1 by revising paragraph (a) to read as follows: 8639 § 568.1 Authority, purpose, and scope. (a) This part is issued by the Office of Thrift Supervision (OTS) pursuant to section 3 of the Bank Protection Act of 1968 (12 U.S.C. 1882), and sections 501 and 505(b)(1) of the Gramm-LeachBliley Act (12 U.S.C. 6801, 6805(b)(1)). This part is applicable to savings associations. It requires each savings association to adopt appropriate security procedures to discourage robberies, burglaries, and larcenies and to assist in the identification and prosecution of persons w h o commit such acts. Section 568.5 of this part is applicable to savings associations and their subsidiaries (except brokers, dealers, persons providing insurance, investment companies, and investment advisers). Section 568.5 of this part requires covered institutions to establish and implement appropriate administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. * * * * * 3 . Add new § 568.5 to read as follows: § 568.5 Protection of customer information. Savings associations and their subsidiaries (except brokers, dealers, persons providing insurance, investment companies, and investment advisers) must comply with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information prescribed pursuant to sections 501 and 505 of the GrammLeach-Bliley Act (15 U.S.C. 6801 and 6805), set forth in appendix B to part 570 of this chapter. PART 570—SUBMISSION AND REVIEW OF SAFETY AND SOUNDNESS COMPLIANCE PLANS AND ISSUANCE OF ORDERS TO CORRECT SAFETY AND SOUNDNESS DEFICIENCIES 4. Amend §570.1 by adding a sentence at the end of paragraph (a) and revising the last sentence of paragraph (b) to read as follows: § 570.1 Authority, purpose, scope and preservation of existing authority. (a) * * *Appendix B to this part is further issued under sections 501(b) and 505 of the Gramm-Leach-Bliley Act (Pub. L. 106–102, 113 Stat. 1338 (1999)). (b)* * *Interagency Guidelines Establishing Standards for Safeguarding Customer Information are set forth in appendix B to this part. * * * * * 5. Amend §570.2 by revising paragraph (a) to read as follows: 8640 Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations §570.2 Determination and notification of failure to meet safety and soundness standards and request for compliance plan. (a) Determination. OTS may, based upon an examination, inspection, or any other information that becomes available to OTS, determine that a savings association has failed to satisfy the safety and soundness standards contained in the Interagency Guidelines Establishing Standards for Safety and Soundness as set forth in appendix A to this part or the Interagency Guidelines Establishing Standards for Safeguarding Customer Information as set forth in appendix B to this part. * * * * * 6. Revise appendix B to part 570 to read as follows: Appendix B to Part 570—Interagency Guidelines Establishing Standards for Safeguarding Customer Information Table of Contents I. Introduction A. Scope B. Preservation of Existing Authority C. Definitions II. Standards for Safeguarding Customer Information A. Information Security Program B. Objectives III. Development and Implementation of Customer Information Security Program A. Involve the Board of Directors B. Assess Risk C. Manage and Control Risk D. Oversee Service Provider Arrangements E. Adjust the Program F. Report to the Board G. Implement the Standards I. Introduction The Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Guidelines) set forth standards pursuant to section 39 of the Federal Deposit Insurance Act (section 39, codified at 12 U.S.C. 1831p–1), and sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. These Guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. A. Scope. The Guidelines apply to customer information maintained by or on behalf of entities over which OTS has authority. For purposes of this appendix, these entities are savings associations whose deposits are FDIC-insured and any subsidiaries of such savings associations, except brokers, dealers, persons providing insurance, investment companies, and investment advisers. This appendix refers to such entities as ‘‘you’. B. Preservation of Existing Authority. Neither section 39 nor these Guidelines in any way limit OTS’s authority to address unsafe or unsound practices, violations of law, unsafe or unsound conditions, or other practices. OTS may take action under section 39 a n d these Guidelines independently of, in conjunction with, or in addition to, any other enforcement action available to OTS. C. Definitions. 1. Except as modified in the Guidelines, or unless the context otherwise requires, the terms used in these Guidelines have t h e same meanings as set forth in sections 3 and 39 of the Federal Deposit Insurance Act (12 U.S.C. 1813 a n d 1831p–1). 2. For purposes of the Guidelines, the following definitions apply: a. Customer means any of your customers as defined i n § 573.3(h) of this chapter. b . Customer information means any record containing nonpublic personal information, as defined i n § 573.3(n) of this chapter, about a customer, whether i n paper, electronic, or other form, that you maintain or that is maintained on your behalf. c. Customer information systems means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information. d. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to you. II. Standards for Safeguarding Customer Information A. Information Security Program. You shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to your size and complexity a n d the nature and scope of your activities. While all parts of your organization are not required to implement a uniform set of policies, all elements of your information security program must be coordinated. B. Objectives. Your information security program shall be designed to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; and 3 . Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. III. Development and Implementation of Information Security Program A. Involve the Board of Directors. Your board of directors or an appropriate committee of the board shall: 1. Approve your written information security program; and 2. Oversee the development, implementation, and maintenance of your information security program, including assigning specific responsibility for its implementation and reviewing reports from management. B. Assess Risk. You shall: 1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. 2. Assess the likelihood a n d potential damage of these threats, taking into consideration the sensitivity of customer information. 3 . Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. C. Manage and Control Risk. You shall: 1. Design your information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of your activities. You must consider whether the following security measures are appropriate for you and, if so, adopt those measures you conclude are appropriate: a. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals w h o may seek to obtain this information through fraudulent means. b . Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals; c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; d. Procedures designed to ensure that customer information system modifications are consistent with your information security program; e. Dual control procedures, segregation of duties, a n d employee background checks for employees with responsibilities for or access to customer information; f. Monitoring systems a n d procedures to detect actual and attempted attacks on or intrusions into customer information systems; g. Response programs that specify actions for you to take when you suspect or detect that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and h. Measures to protect against destruction, loss, or damage of customer information d u e to potential environmental hazards, such as fire and water damage or technological failures. 2. Train staff to implement your information security program. 3 . Regularly test the key controls, systems and procedures of t h e information security program. The frequency a n d nature of such tests should be determined by your risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs. D. Oversee Service Provider Arrangements. You shall: 1. Exercise appropriate d u e diligence i n selecting your service providers; 2. Require your service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and 3 . Where indicated by your risk assessment, monitor your service providers to confirm that they have satisfied their Federal Register/Vol. 66, No. 22/Thursday, February 1, 2001/Rules and Regulations obligations as required by paragraph D.2. As part of this monitoring, you should review audits, summaries of test results, or other equivalent evaluations of your service providers. E. Adjust the Program. You shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of your customer information, internal or external threats to information, and your own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. F. Report to the Board. You shall report to your board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and your compliance with these Guidelines. The reports should discuss material matters related to your program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program. G. Implement the Standards. 1. Effective date. You must implement an information security program pursuant to these Guidelines by July 1, 2001. 2. Two-year grandfathering of agreements with service providers. Until July 1, 2003, a 8641 contract that you have entered into with a service provider to perform services for you or functions on your behalf satisfies the provisions of paragraph III.D., even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information, as long as you entered into the contract on or before March 5, 2001. Dated: December 19, 2000. By the Office of Thrift Supervision. Ellen Seidman, Director. [FR Doc. 01–1114 Filed 1–31–01; 8:45 am] BILLING CODE 4810–33–P; 6210–01–P; 6714–01–P; 6720–01–P